launches a new security feature. The new initiative is aimed at securing the open-source software supply chain by curating and distributing a security-vetted drove of open up-source packages to
The new service introduced
in a weblog post
has been branded Bodacious Open Source Software. In the blog mail service, Andy Chang, group product manager for security and privacy at Google Cloud, highlighted some of the challenges faced by securing open-source software and also stressed Google’due south continuous delivery to securing open source.
In the blog post, Chang wrote that “In that location has been an increasing awareness in the developer customs, enterprises, and governments of software supply chain risks.” Chang cites a major vulnerability – log4j from last year as an example. He further wrote that “Google continues to be one of the largest maintainers, contributors, and users of open source and is securely involved in helping make the open-source software ecosystem more secure.”
Google has disclosed that the Assured Open up Source Software service will give enterprises and government users access to the same vetted open-source packages that Google itself uses in its projects. According to the company, these packages are regularly scanned, analyzed, and fuzz-tested for vulnerabilities and built with Google Cloud’southward Cloud Build service with evidence of SLSA-compliance (that’due south ‘Supply-chain Levels for Software Artifacts,’ a framework for safeguarding artifact integrity beyond software supply chains).
A list of the 550 major open-source libraries reviewed by Google is available on GitHub, the list will continue to be reviewed. While these libraries can all be downloaded independently, the Assured OSS plan will see to the distribution of audited versions through Google Cloud — to mitigate incidents where developers intentionally or unintentionally corrupt widely used open-source libraries. At the moment, this service remains in the early on access way and is expected to be available to a wider customer range for testing by Q3 2022.
The new service announcement comes at a time when there is a wide manufacture drive to see to the improvement of the security of the open-source software supply chain. This drive has also enjoyed the support of the Biden assistants.
Earlier in the year 2022, a scattering of the nation’southward largest tech companies
held a meeting with representatives of the Usa federal agencies
, this includes the Section of Homeland Security and the Cybersecurity and Infrastructure Security Bureau. The meeting focused on a discussion around open up-source software security in the wake of the log4j bug. A recent meeting of the companies involved also resulted in a pledge of more than $xxx million in funding to boost open-source software security. Asides from the provision of funds, Google has also committed to putting engineering science hours to work towards ensuring the supply concatenation is secure. Google recently announced the formation of an “Open up Source Maintenance Crew” that would work with the maintainers of popular libraries for improved security.