Google Cloud has announced a new open source software security tool as it aims to improve safety among software supply chains.
The new Assured Open Source Software (OSS) looks to enable enterprise and public sector users of open source software to incorporate the same security packages that Google uses into its own developer workflows.
Software supply chains, which often rely on open source code to stay flexible and customizable, have become popular targets for cyberattacks as hackers look to target industries of all kinds.
What’s behind the move?
The move comes after numerous high profile open source security incidents, including vulnerabilities related to Log4j and Spring4shell.
Google says that the packages curated by the Assured OSS service will be regularly scanned, analyzed, and fuzz-tested for vulnerabilities and will have corresponding enriched metadata that incorporates Google’s Container/Artifact Analysis data.
All packages included in the new tool will be built with Google’s Cloud Build and will include evidence of verifiable SLSA-compliance.
The packages will be distributed from an Artifact Registry secured and protected by Google, with Assured OSS is expected to enter preview in Q3 2022.
Google highlighted that it continuously scans 550 of the most commonly-used open source projects, and says that it has found more than 36,000 vulnerabilities as of January 2022.
In addition, Google also announced a partnership with Israeli developer security platform SNYK that means Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code.
In addition, the partnership also means that Snyk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within the Google Cloud security and software development life cycle.
Security issues haven’t stopped open source software attracting interest from developers everywhere.
A poll of application developers by Instacluster found that 45% of respondents acknowledge the potential of open source software in terms of cutting down costs, while 38% acknowledge its potential in terms of being able to port code more easily.