New Google Cloud initiative to secure open-source software supply chain
New Delhi : Google has launched a new initiative to secure open-source software (OSS) supply chain as cyber-criminals look for vulnerabilities like Log4j and Spring4shell to disrupt key operations. Google has announced Assured Open Source Software service’ that will enable enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows. Google said that the packages curated by the Assured OSS service are regularly scanned and analysed for vulnerabilities and are built with Cloud Build including evidence of verifiable SLSA-compliance.
“There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks,” the company said in a statement late on Tuesday. Remediation efforts for vulnerabilities like Log4j and Spring4shell, and a massive 650 per cent (year-over-year) increase in cyberattacks aimed at open source suppliers, have sharpened focus on the critical task of bolstering the security of open source software. “Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure,” it said.
Assured OSS lets organisations benefit from Google’s extensive security experience and can reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies. “Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on,” explained the company.