News

Google Cloud to Offer Secure Open Source Software Service

• By David Ramel
• 05/17/2022

Having enacted multiple internal security checks on the open source software (OSS) it uses, Google Cloud will offer a safe OSS service featuring those wares.

The Assured Open Source Software service is expected to debut in preview in the third quarter of this year, letting organizations who might not have the same resources as the cloud giant incorporate its security-vetted OSS packages into their own developer workflows.

The graphic below illustrates various stages of the software supply chain for open source dependencies, which are checked at every stage by Google.

"In our case, we start by maintaining separate secured copies of the source code for our dependencies and perform our own vulnerability scanning," Google said. "We continuously fuzz 550 of the most commonly-used open source projects, and as of January 2022 have found more than 36,000 vulnerabilities. This makes us one of the largest contributors to the OSV [Open Source Vulnerabilities database]." Multiple other checks are also enacted throughout the workflow.

Google said packages curated by the Assured OSS service:

• are regularly scanned, analyzed, and fuzz-tested for vulnerabilities
• have corresponding enriched metadata incorporating Container/Artifact Analysis data
• are built with Cloud Build including evidence of verifiable SLSA-compliance
• are verifiably signed by Google
• are distributed from an Artifact Registry secured and protected by Google

As this list of ADTmag articles shows, risky OSS has been a problem for many years:

• Open Source Security Audit 'Should Be a Wake-Up Call'
• Study: Open Source Software Contributes to Mobile App Vulnerabilities
• Study Links Flawed Online Tutorials with Vulnerable Open Source Software

More recent Virtualization & Cloud Review articles reveal an improving situation, but still a mixed bag on the open source security front:

• Once a Security Problem, Open Source Now a Solution, Report Says
• App Security Report: Open Source Code Still 'Blessing and a Curse'
• Cloud Computing and Open Source: It's Complicated

The new Assured OSS service is likely to even further improve the situation.

"We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program," Google said. "Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources. However, the lack of an end-to-end process creates risk exposure each step of the way."

Google also announced a related partnership with Snyk -- a cybersecurity company specializing in cloud computing -- to help developers understand the risks associated with using open source dependencies, in which:

• Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code.
• Snyk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within Google Cloud security and software development life cycle tools to enhance the developer experience.

Organizations -- whether enterprise or public sector -- can fill out a form to learn more about the upcoming Assured OSS service.