Looking to help cut the risk of software supply chain vulnerabilities in open source software, Google says it will release its own packages and libraries of vetted open source for other organizations to use.
The company made the announcement in its Google Cloud blog, saying that its new Assured Open Source Software service (Assured OSS) will enable enterprise and public sector users to incorporate the same open source software packages that Google uses in their own developer workflows.
The new cloud service from Google, due in a preview version in Q3 2022, comes amid a huge increase in cyber attacks that are targeting open source, with recent examples including the attacks to exploit the Log4j2 vulnerability against that open source Java-based logging framework that is common on Apache web servers. But that’s not the only one. Software supply chain management vendor Sonatype said in its State Of the Software Supply Chain Report that cyber attacks aimed at open source suppliers increased by 650% year-over-year in 2021.
What’s more, enterprise organizations today are increasingly using open source software, a trend that accelerated during the pandemic, according Red Hat’s State of Enterprise Open Source Report 2022, and a blog post by Red Hat president and CEO Paul Cormier. Indeed, the survey found that 80% of IT leaders expect to increase their use of enterprise open source software for emerging technologies.
Google’s certainly not alone in its effort to address open source vulnerabilities. The Linux Foundation and the Open Software Security Foundation with support from 37 companies including Amazon, Google and Microsoft, recently released a plan for securing open source software.
Google’s Assured OSS
In its blog announcing the release of Assured OSS, group product manager for security and privacy Andy Chang wrote, “Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source ecosystem more secure through efforts including the Open Source Security Foundation (OpenSSF), Open Source Vulnerabilities (OSV) database, and OSS-Fuzz.”
Chang noted that Google’s release of Assured OSS followed other open source security initiatives that the company discussed at a January White House Summit on Open Source Security.
“Open source software code is available to the public, free for anyone to use, modify, or inspect,” Google and parent company Alphabet President of Global Affairs Kent Walker wrote in a blog post in January. “Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it.”
But there can be issues with that approach, too, as Walker noted.
“There’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code,” he wrote. “In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”
That opens up a big area of concern about the introduction of vulnerabilities that could be exploited. While some open source projects have “many eyes” working on them and looking for issues, some projects don’t, Walker noted.
In conjunction with its Assured OSS announcement, Google Cloud also announced a collaboration with Snyk, a developer security platform. Google said that Assured OSS will be natively integrated into Snyk solutions for joint customers to use when developing code. In addition Synk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within Google Cloud security and software development life cycle tools to enhance the developer experience, according to Google.
The collaboration addresses one of the major concerns that surfaced during the White House meeting in January -- preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.