Breaking News

Google will begin distributing a security-verified collection of open-source software libraries

Google will begin distributing a security-verified collection of open-source software libraries




Google on Tuesday announced a new initiative that aims to secure the open-source software supply chain by curating and delivering a security-verified collection of open-source packages for Google Cloud customers.

The new service, branded Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed to some of the challenges of securing open-source software and emphasized Google's commitment to open source.

“There is growing awareness among the developer community, enterprises and governments about software supply chain risks, citing the major log4j vulnerability of last year as an example.” "Google remains one of the largest maintainers, contributors and users of open source and is deeply involved in helping to make the open source software ecosystem more secure."

Assured Cloud will extend the benefits of Google's own comprehensive software auditing experience to customers, according to Google's announcement. All open-source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.

Currently, a list of 550 major open-source libraries constantly being reviewed by Google is available on GitHub. While these libraries can be freely downloaded from Google, the Assured OSS program will see audited versions distributed via Google Cloud – a mitigation against incidents where developers have intentionally or unintentionally used them extensively. Corrupt open-source library. Currently, the service is in early access mode and is expected to be made available for extensive customer testing in the third quarter of 2022.

Google's announcement comes as part of an industry-wide campaign to improve the security of the open-source software supply chain and one that has also been endorsed by the Biden administration.

In January, a group of some of the nation's biggest tech companies met with representatives from federal agencies, including the Department of Homeland Security and the Cyber ​​Security and Infrastructure Security Agency, to discuss open-source software security in the wake of the Log4j bug. Since then, a recent meeting of the companies involved has resulted in a funding pledge of more than $30 million to promote open-source software security.

In addition to contributing funding, Google is also putting in hours of engineering to keep the supply chain secure. The company recently announced the formation of an "open source maintenance crew" that will work with maintainers of popular libraries to improve security.

No comments