Google Cloud is looking to make open source code safer than ever
Google is cracking down on open source vulnerabilities
Google Cloud has announced a new open source software security tool as it aims to improve safety among software supply chains.
The new Assured Open Source Software (OSS) looks to enable enterprise and public sector users of open source software to incorporate the same security packages that Google uses into its own developer workflows.
Software supply chains, which often rely on open source code to stay flexible and customizable, have become popular targets for cyberattacks as hackers look to target industries of all kinds.
What’s behind the move?
The move comes after numerous high profile open source security incidents, including vulnerabilities related to Log4j and Spring4shell.
Google joined the OpenSSF and the Linux Foundation for a meeting to advance the open source software security initiatives discussed during the recent White House Summit on Open Source Security.
Google says that the packages curated by the Assured OSS service will be regularly scanned, analyzed, and fuzz-tested for vulnerabilities and will have corresponding enriched metadata that incorporates Google’s Container/Artifact Analysis data.
All packages included in the new tool will be built with Google’s Cloud Build and will include evidence of verifiable SLSA-compliance.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The packages will be distributed from an Artifact Registry secured and protected by Google, with Assured OSS is expected to enter preview in Q3 2022.
Google highlighted that it continuously scans 550 of the most commonly-used open source projects, and says that it has found more than 36,000 vulnerabilities as of January 2022.
In addition, Google also announced a partnership with Israeli developer security platform SNYK that means Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code.
In addition, the partnership also means that Snyk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within the Google Cloud security and software development life cycle.
Security issues haven’t stopped open source software attracting interest from developers everywhere.
A poll of application developers by Instacluster found that 45% of respondents acknowledge the potential of open source software in terms of cutting down costs, while 38% acknowledge its potential in terms of being able to port code more easily.
- · Check out our guide to the best endpoint protection for your business
Will McCurdy has been writing about technology for over five years. He has a wide range of specialities including cybersecurity, fintech, cryptocurrencies, blockchain, cloud computing, payments, artificial intelligence, retail technology, and venture capital investment. He has previously written for AltFi, FStech, Retail Systems, and National Technology News and is an experienced podcast and webinar host, as well as an avid long-form feature writer.