Introducing Google Cloud’s new Assured Open Source Software service
Group Product Manager, Security & Privacy
There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks. Remediation efforts for vulnerabilities like Log4j and Spring4shell, and a 650% year-over-year increase in cyberattacks aimed at open source suppliers, have sharpened focus on the critical task of bolstering the security of open source software. Governments and regulators have taken notice and action, including the White House’s Executive Order 14028 on Improving the Nation’s Cybersecurity, followed by other governments and agencies around the world asserting new requirements and standards specifically focused on the software development lifecycle and the software supply chain.
Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure through efforts including the Open Source Security Foundation (OpenSSF), Open Source Vulnerabilities (OSV) database, and OSS-Fuzz. Last week, Google joined the OpenSSF, Linux Foundation, and industry leaders for a meeting to advance the open source software security initiatives discussed during January’s White House Summit on Open Source Security.
Announcing Assured Open Source Software
To further our commitment to help organizations strengthen their OSS software supply chain, we are announcing today a new Google Cloud product: our Assured Open Source Software service. Assured OSS enables enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows. Packages curated by the Assured OSS service:
are regularly scanned, analyzed, and fuzz-tested for vulnerabilities
have corresponding enriched metadata incorporating Container/Artifact Analysis data
are built with Cloud Build including evidence of verifiable SLSA-compliance
are verifiably signed by Google
are distributed from an Artifact Registry secured and protected by Google
As a result, Assured OSS lets organizations benefit from Google’s extensive security experience and can reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies. Assured OSS is expected to enter Preview in Q3 2022.
Announcing Google Cloud and Snyk collaboration
In addition, today Google Cloud and Snyk are announcing their intent to collaborate to further help developers understand the risk and impact of their open source dependencies, and use Assured OSS to help reduce their risk. Specifically:
Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code.
Snyk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within Google Cloud security and software development life cycle tools to enhance the developer experience.
The collaboration can help developers reduce the possibility of deploying open source software with critical vulnerabilities, more quickly identify associated impact of vulnerabilities, better eliminate new threat exposures, and increase automation of their remediation activities.
What goes into the Assured OSS Service
The figure above details the many stages of the software supply chain for an open source dependency. Enterprises have widely different entry points to this lifecycle - some organizations may build packages from source themselves, while others pull packages from repos that they trust.
A few organizations including Google centralize control and actively secure each step of the end-to-end process. In our case, we start by maintaining separate secured copies of the source code for our dependencies and perform our own vulnerability scanning. We continuously fuzz 550 of the most commonly-used open source projects, and as of January 2022 have found more than 36,000 vulnerabilities. This makes us one of the largest contributors to the OSV.
We then manage an end-to-end build, deploy, and distribution process that includes integrated integrity, provenance, and security checks. Based on our internal security practices, we have created the SLSA framework to enable organizations to assess the maturity of their software supply chain security and understand key steps to progress to the next level.
We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program. Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources. However, the lack of an end-to-end process creates risk exposure each step of the way.
Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on. Users will also be able to submit packages from their own OSS portfolio to be secured and managed through the Google Cloud managed service.
Take the next step
We are excited to partner with you to help manage your use of OSS in your enterprise development workflows. Our collaboration with Snyk will help further simplify and secure cloud migrations and application modernization for developers, especially on Google Cloud.
To learn more about Assured OSS and get started, please fill out this interest form.