Google Cloud to offer vetted open-source software to organisations

18 May 2022

Image: © Araki Illustrations/Stock.adobe.com

In light of recent software supply chain vulnerabilities such as Log4Shell, Google is launching its Assured Open Source Software service later this year.

Google Cloud is launching a new service that will provide enterprises and governments with vetted open-source software in a bid to minimise cybersecurity risks.

Announced at the Google Security Summit yesterday (17 May), the Assured Open Source Software (OSS) initiative will help organisations strengthen their open-source software and easily incorporate the same open-source packages that Google uses into their own developer workflows.

Recent cybersecurity threats such as the Log4Shell flaw that emerged last December have sparked interest in public-private partnerships and other initiatives to secure open-source software supply chain.

Google’s latest announcement follows a White House summit in January where it met with other major US tech companies active in the open-source space to discuss ways to boost security in light of recent vulnerabilities.

Security threats stemming from open-source software are not a new phenomenon. The Heartbleed bug revealed in 2014, which was a serious flaw in web encryption software OpenSSL, was one of the first major security threats in the space. It was believed at the time that as much as 17pc of secure web servers could be vulnerable.

How does Google’s new service work?

Andrew Chang, group product manager of security and privacy at Google Cloud, said in a blog published yesterday that packages curated by the new Assured OSS service are regularly scanned, analysed and fuzz-tested (an automated software testing technique) for vulnerabilities.

“We recognise that most organisations do not have the resources or experience to construct and operate such a comprehensive program,” he said.

“Assured OSS lets organisations benefit from Google’s extensive security experience and can reduce their need to develop, maintain and operate complex processes to secure their open-source dependencies.”

All packages curated by Assured OSS are built with Cloud Build, Google’s cloud platform for enterprises, and include evidence of compliance with SLSA, an end-to-end framework for ensuring integrity throughout the software supply chain.

Chang added that Google continually fuzz-tests 550 of the most used open-source projects. As of January, it had found more than 36,000 vulnerabilities, making Google one of the largest contributors to the Open Source Vulnerability database.

Google Cloud enterprise customers will also be able to submit packages from their own OSS portfolio to be secured and managed through Assured OSS.

The new Google Cloud managed service is expected to enter preview stage in the third quarter of 2022.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic

editorial@siliconrepublic.com