Google announced a new initiative on Tuesday aimed at securing the open source software supply chain by curating and distributing a secure collection of open source packages to Google Cloud customers.
The new service, called Assured Open Source Software, was launched in a blog post of the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, highlighted some of the challenges of securing open source software and emphasized Google’s commitment to open source.
“There has been a growing awareness in the programming community, businesses and governments about software supply chain risks,” Chang wrote, citing last year’s biggest log4j vulnerability as an example. “Google is still one of the major caregivers, contributors, and open source users and is deeply involved in helping make the open source software ecosystem more secure. “
According to Google’s announcement, Assured Open Source Software’s service will extend the benefits of Google’s own comprehensive software review experience to Cloud customers. All open source packages available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.
Currently, a list of the 550 major open source libraries continuously reviewed by Google is available on GitHub. While all of these libraries can be downloaded independently of Google, Assured OSS will see revised versions distributed through Google Cloud – mitigating against events where developers intentionally or unintentionally corrupt widely used open source libraries. Currently, this service is in early access mode and is expected to be available for wider customer testing in Q3 2022.
Google’s announcement comes as part of an industry-wide effort to improve the security of the open source software supply chain and one that has also been supported by Biden’s management.
In January, a group of some of the nation’s largest technology companies met with representatives of federal agencies including the Department of Homeland Security and the Agency for Cybersecurity and Infrastructure. discuss open source software security after the bug log4j. Since then, a recent meeting of the companies involved has resulted in a a pledge of more than $ 30 million in funding to accelerate open source software security.
In addition to contributing funding, Google is also putting in engineering hours to keep the supply chain secure. The company recently announced the formation of an “Open Source Care Crew” that would work with the caregivers of popular libraries to improve security.