With Assured OSS Packages, Google Cloud Enhances Open-Source Software Security

Highlights:

• According to Google, the Assured OSS collection includes the most well-known Python and Java packagers and popular artificial intelligence and machine learning tools.
• Google states it garnered an immensely positive response after releasing Assured OSS for public access the last year.

Google Cloud is making its Assured Open Source Software service generally available for Java and Python ecosystems to help enhance the security of the most popular open-source software.

Assured OSS, which was just announced and is free for consumers to use, enables organizations to utilize the same OSS packages that Google utilizes in its own developer workflows. Users can get extra security precautions that Google offers with those packages, enhancing their own security.

Given that the bulk of software programs and services in use today are based on open-source software, it might be an appealing offer. Even proprietary software applications rely on various open-source parts, but the security of these offerings from the community raises serious concerns. 17% of all security incidents in 2022 began with an attack on the open-source software supply chain, per the Mandiant M-Trends report. If hackers discover a flaw in an open-source component, it could be exploited by any application that employs it.

According to Google, organizations will gain a more secure open-source software supply chain by relying on Google’s comprehensive library of Assured OSS packages. With an Assured Software Bill of Materials offered in forms compliant with industry standards, they will better comprehend the components of the packages they employ. Because Google is continuously scanning and patching the components they utilize for vulnerabilities, their overall risk will also be decreased.

According to Google, the Assured OSS collection includes the most well-known Python and Java packages and popular artificial intelligence and machine learning tools such as TensorFlow, Pandas, and Scikit-Learn. The OSS packages are routinely scanned, analyzed, and fuzz-tested for vulnerabilities, are verifiably signed by Google, and are distributed from a company-protected artifact registry. ACCORDING TO GOOGLE, assured OSS has already demonstrated its value as it was the first to identify and resolve 48 percent of all newly discovered vulnerabilities in the first 250 Java applications it offered through the program.

Holger Mueller at Constellation Research Inc. reported that all the latest software is practically written with an open-source component, and its format indicates that it is open to all types of risks. “For many enterprises, checking software for bugs and vulnerabilities is an arduous and sometimes even impossible task. So it’s great to see that Google is letting others benefit from its own checks and due diligence,” Mueller added.

Google states it garnered an immensely positive response after releasing Assured OSS for public access the last year. Tech Fellow and N.A Managing Director of Citibank, Jon Meadows, mentioned that his company has been among the earliest adopters of this initiative. “Both Citi and Google see untrusted and unverified open source dependencies as a key risk vector. Assured OSS can help reduce risk and protect open-source software components commonly used by enterprises like us,” he added.

Organizations that want to begin using Assured OSS can use this self-service onboarding form. Then, they can attach the Assured OSS packages to their software development infrastructure in any desired environment, such as Artifact Registry, Artifactory, Nexus, and others.

Melinda Marks, an ESG analyst, stated that a reliable, secure open-source package is crucial for companies in the fast-growing cycles. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to protect their business applications better,” she added.