Google: These “curated” open-source packages will improve software supply chain security

Google aims to bolster software supply chain security with an initiative that promises to give users of enterprise open-source software access to the same secure packages used by its own developers to create and maintain code.

Google said there was a 650% increase in cyberattacks year over year intended for open source software vendors with the intention of exploiting weaknesses in the ecosystem to attack other targets.

“That’s what we looked at closely, it’s basically how to get ahead of any digital supply chain issues so that we’re not in the same position that we are today on the physical supply chain” , said Sunil Potti. , vice president of Google Cloud Security.

“And the equivalent of that in the digital supply chain is open source software. In our view, while we will need to take an end-to-end view of securing the supply chain, just about companies on the planet are exposed to open source software,” he added.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Packages offered to Google Cloud customers as an Assured Open Source Software service are verifiably signed by Google and are regularly scanned and analyzed for vulnerabilities to ensure that users are as protected as possible from bugs and exploits.

They are built using Google’s Cloud Build platform, with verifiable proof of compliance with SLSA (Supply chain Levels for Software Artifacts) – a security framework and checklist of standards and controls to prevent code tampering, improve integrity, and secure packages, as well as distribution from a Artifact Registry secure and protected by Google.

This is based on the process used within Google where every step of the build is actively secured throughout the entire end-to-end process, as well as keeping separate secure copies of the source code.

“Assured OSS allows enterprise customers to directly benefit from the deep, end-to-end security capabilities and practices we apply to our own OSS portfolio by giving them access to the same OSS packages that Google depends on,” said a Google blog post.

Supply chain vulnerabilities are a common tool used by cybercriminals and many incidents begin with attackers exploiting newly discovered zero-day cybersecurity vulnerabilities. However, even if a security patch is provided, companies can be slow to deploy them, making them vulnerable to attackers.

With this new offering, Google Cloud hopes to make it easier to manage open source and supply chain vulnerabilities, helping organizations of all sizes protect against cyberattacks.

“It’s a way for every customer – whether it’s a two-person store or a 100,000-employee bank – that leverages or builds code to rely on a curated set of open packages. source that Google itself has invested in to protect our own developers over many years, which we are now bringing to market as this Assured Open Source package,” Potti said.


Margie D. Carlisle