Google targets open-source vulnerabilities. Google Cloud announced an open-source technology to improve software supply chain security.
The new Assured Open Source Software (OSS) program seeks to allow corporate and public sector users of open source software to use Google’s developer security packages.
As hackers target all sectors, software supply chains that rely on open source code have become targets. The decision follows high-profile open source security vulnerabilities, including Log4j and Spring4shell.
Google joined the OpenSSF and the Linux Foundation for a discussion to improve open-source software security. Google says Assured OSS packages will be regularly scanned, analysed, and fuzz-tested for vulnerabilities and will feature richer metadata like Container/Artifact Analysis data.
All new tool packages will be built with Google Cloud Build and include SLSA compliance proof. Assured OSS will begin in Q3 2022 with Google-controlled package distribution. Google says it regularly examines 550 open-source projects and has found over 36,000 vulnerabilities as of January 2022.
Google also announced a partnership with SNYK, an Israeli developer security solution, to embed Assured OSS into SNYK products for joint clients to use when writing code. Snyk vulnerabilities, triggering measures, and remedial recommendations will be available to joint clients in Google Cloud’s security and software development life cycle.
Despite security issues, open-source software attracts developers worldwide. Instacluster surveyed application developers and found that 45% feel open-source software can cut costs, and 38% believe it can make code porting easier.