According to a 2023 study by Synopsys, 84% of open source software codebase contains at least one known vulnerability, and 48% contained a high risk vulnerability.
Google launched Assured OSS in May 2022 as a response to the rapid growth in cyberattacks aimed at open source suppliers. According to industry sources, a 650% surge in software supply chain attacks took place in 2021, when the use of Open Source Software increased dramatically. Google positioned itself as a "long time contributor, maintainer, user of open source software" and has "developed a robust set of technology, processes, security capabilities and controls" to protect the integrity of OSS.
OSS proliferation, increasing reliance on microservices and cloud data services, the multilayered aspect of cyberattacks and gaps in standardization are just some of the reasons that made Open Source Software a ripe target for cyberattacks. In response to these threats, Google Cloud will be making its Assured Open Source Software service for Java and Python ecosystems available at no cost. The Assured OSS gives organizations access to Google-vetted codebase packages that Google uses in its workflow.
This move comes on the back of Google's decision to offer it's Project Shield DDoS defense to government sites, news, and independent journalists as a response to the rise in politically motivated DDoS attacks.
Google's Assured OSS environment scans, analyses and fuzz tests (using invalid, random or unexpected input to expose irregular behaviour) code packages regularly to identify vulnerabilities. Additionally, enriched metadata that incorporates Container/Artifact analysis data. This basically allows developers to have access to details regarding code dependencies, licensing and other attributes that are useful for understanding the package's contents and how it relates to other software components in a larger system. Additionally, enriched metadata can be used to identify security vulnerabilities in code.
Additionally, Google verifiably signs these code packages and are distributed from an artifact registry secured and protected by Google, which additionally provides another layer of security and trust in the used dependencies. Securing codebases means addressing potential points of entry for attackers, and also identifying unexpected weaknesses.
Google's Assured OSS program provides organizations with a trusted source for open source software (OSS) packages, including a software bill of materials (SBOMs) that details the package's contents. The program focuses specifically on 1,000 Java and Python packages and aims to simplify the process of securing OSS for DevOps teams by reducing the need for them to establish their own security workflows.
By using advanced security testing methods such as fuzz testing and metadata analysis, Google is able to provide assurance that the packages in the program have undergone rigorous security checks. This approach could be a sign of things to come in the software industry, particularly for companies in highly regulated industries, as security testing of dependencies becomes increasingly important. Overall, the Assured OSS program helps to ensure that organizations can trust the OSS packages they use in their software products.
Google has strict criteria for determining which packages meet their standards, and for those that do, they are essentially vouching for their quality and security by making them available through their program. In addition, Google provides evidence of the extensive vetting process that these packages undergo, which helps to instill confidence in developers and users who rely on these components. By endorsing these packages and providing proof of their efforts, Google is helping to raise the overall level of trust and security in the open source community.
Other Posts you might be interested in:
A new report suggests that too many firms have IT assets that are outside the sight and control of the security team, or of the software responsible for protecting them. These assets represent an ideal ingress point for attackers as they can exploit your IT Environment without knowledge of the deed, making it a major security risk.
Read More
New Studies from BitDefender and Arctic Wolf show that cybergroups are employing new tactics that exploit popular social channels such as Facebook and Youtube. The exploit uses DLLs, shared code libraries used by every operating system to hide malicious code by in the form of a legitimate DLL.
Read More
Microsoft addressed a data exposure incident stemming from AI researchers inadvertently sharing open-source training data on GitHub, leading to the exposure of 38TB of private information. The swift mitigation measures highlight the importance of secure data practices in the context of AI-driven initiatives.
Read More