According to a 2023 study by Synopsys, 84% of open source software codebase contains at least one known vulnerability, and 48% contained a high risk vulnerability.
Google launched Assured OSS in May 2022 as a response to the rapid growth in cyberattacks aimed at open source suppliers. According to industry sources, a 650% surge in software supply chain attacks took place in 2021, when the use of Open Source Software increased dramatically. Google positioned itself as a "long time contributor, maintainer, user of open source software" and has "developed a robust set of technology, processes, security capabilities and controls" to protect the integrity of OSS.
OSS proliferation, increasing reliance on microservices and cloud data services, the multilayered aspect of cyberattacks and gaps in standardization are just some of the reasons that made Open Source Software a ripe target for cyberattacks. In response to these threats, Google Cloud will be making its Assured Open Source Software service for Java and Python ecosystems available at no cost. The Assured OSS gives organizations access to Google-vetted codebase packages that Google uses in its workflow.
This move comes on the back of Google's decision to offer it's Project Shield DDoS defense to government sites, news, and independent journalists as a response to the rise in politically motivated DDoS attacks.
Google's Assured OSS environment scans, analyses and fuzz tests (using invalid, random or unexpected input to expose irregular behaviour) code packages regularly to identify vulnerabilities. Additionally, enriched metadata that incorporates Container/Artifact analysis data. This basically allows developers to have access to details regarding code dependencies, licensing and other attributes that are useful for understanding the package's contents and how it relates to other software components in a larger system. Additionally, enriched metadata can be used to identify security vulnerabilities in code.
Additionally, Google verifiably signs these code packages and are distributed from an artifact registry secured and protected by Google, which additionally provides another layer of security and trust in the used dependencies. Securing codebases means addressing potential points of entry for attackers, and also identifying unexpected weaknesses.
Google's Assured OSS program provides organizations with a trusted source for open source software (OSS) packages, including a software bill of materials (SBOMs) that details the package's contents. The program focuses specifically on 1,000 Java and Python packages and aims to simplify the process of securing OSS for DevOps teams by reducing the need for them to establish their own security workflows.
By using advanced security testing methods such as fuzz testing and metadata analysis, Google is able to provide assurance that the packages in the program have undergone rigorous security checks. This approach could be a sign of things to come in the software industry, particularly for companies in highly regulated industries, as security testing of dependencies becomes increasingly important. Overall, the Assured OSS program helps to ensure that organizations can trust the OSS packages they use in their software products.
Google has strict criteria for determining which packages meet their standards, and for those that do, they are essentially vouching for their quality and security by making them available through their program. In addition, Google provides evidence of the extensive vetting process that these packages undergo, which helps to instill confidence in developers and users who rely on these components. By endorsing these packages and providing proof of their efforts, Google is helping to raise the overall level of trust and security in the open source community.
Other Posts you might be interested in:
Data is a prized asset and protecting it from insider threats is paramount. From implementing robust access controls to fostering a culture of cybersecurity awareness, this article provides practical insights to safeguard your data against both inadvertent and malicious insider actions. By combining technological measures with education and stringent policies, organizations can create a comprehensive defense strategy to mitigate the risks posed by insider threats in today's dynamic digital landscape.
Read More
Microsoft has uncovered Chinese state-backed hackers engaged in cyberespionage activities targeting critical infrastructure organizations in Guam, a U.S. territory. The campaign, codenamed Volt Typhoon, aims to develop capabilities that could disrupt communications infrastructure between the U.S. and Asia during future crises.
Read More
There is a new threat that job seekers and employers should be aware of - phishing and malware campaigns that target individuals during the current economic downturn. By exploiting job-themed emails, attackers are attempting to steal sensitive information or hack into devices.
Read More