On Tuesday, Google unveiled a new program aimed at safeguarding the open-source software supply chain by curating and delivering a security-vetted selection of open source packages to Google Cloud users. The business announced the new service, dubbed Assured Open Source Software, in a blog post. Andy Chang, Google Cloud’s group product manager for security and privacy, highlighted some of the problems of safeguarding open source software and emphasised Google’s commitment to open source in his blog post.
“There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks,” Chang wrote, citing last year’s major log4j vulnerability as an example. “Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure.”
According to Google, the Assured Open Source Software service will give Cloud clients access to Google’s substantial software auditing knowledge. According to Google, all open source packages made available through the service are also used internally by the corporation and are inspected and analysed for vulnerabilities on a regular basis.
A list of the 550 important open source libraries that Google is currently reviewing is available on GitHub. While these libraries may all be downloaded independently of Google, the Assured OSS program will see audited versions provided through Google Cloud, preventing developers from corrupting widely used open source libraries. This service is now in early access phase and will be ready for wider consumer testing in Q3 2022.
The Google statement is part of a broader industry effort to strengthen the security of the open source software supply chain, which has the support of the Biden administration. In January, representatives from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency met with executives from some of the country’s major IT companies to examine open-source software security in the wake of the log4j bug. Since then, the corporations involved have pledged more than $30 million in financing to improve open source software security during a recent summit.
In addition to cash, Google is devoting engineering time to ensuring the supply chain’s security. The corporation has announced the development of a “Open Source Maintenance Crew” that will collaborate with library maintainers to improve security.