Google has announced its new Assured Open Source Software service as part of the tech giant’s drive to help organizations strengthen their OSS supply chain.
Expected to enter Preview in Q3, the Google Cloud product has been designed to enable enterprises and public sector users of open-source software to easily incorporate the same OSS packages that Google uses in its developer workflows.
“Assured OSS lets organizations benefit from Google’s extensive security experience and can reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies,” Google said in a blog post.
The offering forms part of Google’s efforts to help make the open-source software ecosystem more secure. Packages curated by the Assured OSS service will be regularly scanned, analyzed, and fuzz-tested for vulnerabilities, while corresponding enriched metadata will incorporate Container/Artifact Analysis data.
They will also be built with Cloud Build, including evidence of verifiable SLSA-compliance, verifiably signed by Google, and distributed from a secure and protected Artefact Registry.
Ultimately, Google said it is aiming to centralize control and actively secure each stage of the software supply chain for an open-source dependency.
“Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on,” the company added.
“Users will also be able to submit packages from their own OSS portfolio to be secured and managed through the Google Cloud managed service.”
Additionally, Google Cloud has announced a new collaborative effort with cybersecurity firm Snyk to further help developers understand their open source dependencies, as well as use Assured OSS to reduce their risk.
Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code, Google said, while Snyk vulnerabilities, triggering actions, and remediation recommendations will be available within Google Cloud security and software development life cycle tools.
“The collaboration can help developers reduce the possibility of deploying open-source software with critical vulnerabilities, more quickly identify associated impact of vulnerabilities, better eliminate new threat exposures, and increase automation of their remediation activities,” Google explained.
