According to a 2023 study by Synopsys, 84% of open source software codebase contains at least one known vulnerability, and 48% contained a high risk vulnerability.
Google launched Assured OSS in May 2022 as a response to the rapid growth in cyberattacks aimed at open source suppliers. According to industry sources, a 650% surge in software supply chain attacks took place in 2021, when the use of Open Source Software increased dramatically. Google positioned itself as a "long time contributor, maintainer, user of open source software" and has "developed a robust set of technology, processes, security capabilities and controls" to protect the integrity of OSS.
OSS proliferation, increasing reliance on microservices and cloud data services, the multilayered aspect of cyberattacks and gaps in standardization are just some of the reasons that made Open Source Software a ripe target for cyberattacks. In response to these threats, Google Cloud will be making its Assured Open Source Software service for Java and Python ecosystems available at no cost. The Assured OSS gives organizations access to Google-vetted codebase packages that Google uses in its workflow.
This move comes on the back of Google's decision to offer it's Project Shield DDoS defense to government sites, news, and independent journalists as a response to the rise in politically motivated DDoS attacks.
Google's Assured OSS environment scans, analyses and fuzz tests (using invalid, random or unexpected input to expose irregular behaviour) code packages regularly to identify vulnerabilities. Additionally, enriched metadata that incorporates Container/Artifact analysis data. This basically allows developers to have access to details regarding code dependencies, licensing and other attributes that are useful for understanding the package's contents and how it relates to other software components in a larger system. Additionally, enriched metadata can be used to identify security vulnerabilities in code.
Additionally, Google verifiably signs these code packages and are distributed from an artifact registry secured and protected by Google, which additionally provides another layer of security and trust in the used dependencies. Securing codebases means addressing potential points of entry for attackers, and also identifying unexpected weaknesses.
Google's Assured OSS program provides organizations with a trusted source for open source software (OSS) packages, including a software bill of materials (SBOMs) that details the package's contents. The program focuses specifically on 1,000 Java and Python packages and aims to simplify the process of securing OSS for DevOps teams by reducing the need for them to establish their own security workflows.
By using advanced security testing methods such as fuzz testing and metadata analysis, Google is able to provide assurance that the packages in the program have undergone rigorous security checks. This approach could be a sign of things to come in the software industry, particularly for companies in highly regulated industries, as security testing of dependencies becomes increasingly important. Overall, the Assured OSS program helps to ensure that organizations can trust the OSS packages they use in their software products.
Google has strict criteria for determining which packages meet their standards, and for those that do, they are essentially vouching for their quality and security by making them available through their program. In addition, Google provides evidence of the extensive vetting process that these packages undergo, which helps to instill confidence in developers and users who rely on these components. By endorsing these packages and providing proof of their efforts, Google is helping to raise the overall level of trust and security in the open source community.
Other Posts you might be interested in:
Microsoft addressed a data exposure incident stemming from AI researchers inadvertently sharing open-source training data on GitHub, leading to the exposure of 38TB of private information. The swift mitigation measures highlight the importance of secure data practices in the context of AI-driven initiatives.
Read More
CrowdStrike, a cybersecurity company, has released a report revealing a significant increase in data theft activity. The report shows a huge increase in attacks on cloud architectures, with cases involving “cloud-conscious” actors tripling from 2021. With defenders’ scanning for malware, data extraction has become the preferred modus operandi of threat actors.
Read More
Explore essential cybersecurity practices for small and medium-sized businesses, covering employee training, password policies, multi-factor authentication, and more. Elevate your business's security with DeepBlue Computers, offering customized solutions and expertise to fortify against evolving cyber threats.
Read More