Google on Tuesday announced a new initiative aimed at securing the open source software supply chain by curating and distributing a collection of security-verified open source packages to Google Cloud customers.
The new service, branded as Assured Open Source Software, was introduced in a company blog post. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed out some of the challenges of securing open source software and emphasized Google’s commitment to open source.
“There has been increased awareness in the developer community, businesses, and governments about software supply chain risks,” Chang wrote, citing last year’s major log4j vulnerability as an example. “Google continues to be one of the largest maintainers, contributors and users of open source and is deeply involved in helping make the open source software ecosystem more secure.”
According to Google’s announcement, the Assured open source software service will extend the benefits of Google’s extensive software auditing expertise to cloud customers. All open source packages available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.
Currently, a list of the top 550 open source libraries that Google continually reviews is available on GitHub. While all of these libraries can be downloaded independently of Google, the Assured OSS program will see audited versions distributed through Google Cloud, which will mitigate incidents where developers intentionally or unintentionally corrupt widely used open source libraries. This service is currently in early access mode and is expected to be available for broader client testing in Q3 2022.
Google’s announcement comes as part of an industry-wide push to improve open source software supply chain security that has also been backed by the Biden administration.
In January, a group of some of the nation’s largest technology companies met with representatives from federal agencies, including the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, to discuss the security of open source software through root of the log4j error. Since then, a recent meeting of the companies involved resulted in a pledge of more than $30 million in funding to boost the security of open source software.
In addition to providing funds, Google also spends engineering hours keeping the supply chain secure. The company recently announced the formation of an “Open Source Maintenance Team” that would work with maintainers of popular libraries to improve security.