Google: These 'curated' open-source packages will improve software supply chain security

The Assured Open Source Software service provides Google Cloud customers with the same open-source packages that Google uses itself.
Written by Danny Palmer, Senior Writer

Google aims to boost software supply chain security with an initiative that promises to offer enterprise open-source software users access to the same secure packages used by its own developers to build and maintain code.

Google said there has been a 650% year-on-year increase in cyberattacks aimed at open-source software suppliers with the intention of exploiting weaknesses in the ecosystem to go after other targets.

"That's what we've been having a real hard look at, is fundamentally how to get ahead of any digital supply chain problems so we're not in the same position we're in today on the physical supply chain," said Sunil Potti, VP of Google Cloud Security.

"And the equivalent of that in the digital supply chain is open-source software. In our opinion, while we'll have to take an end-to-end view of securing the supply chain, pretty much every company on the planet is exposed to open source software," he added.

SEE: A winning strategy for cybersecurity (ZDNet special report)

The packages offered to Google Cloud customers as the Assured Open Source Software service are verifiably signed by Google and are regularly scanned and analysed for vulnerabilities in order to ensure users are as protected against bugs and exploits as possible.

They are built using Google's Cloud Build platform, complete with evidence of verifiable compliance with SLSA (Supply chain Levels for Software Artifacts) – a security framework and check-list of standards and controls to prevent code tampering, improve integrity and secure packages, as well as being distributed from an Artifact Registry secured and protected by Google.

This is based on the process used within Google where each step of the build is actively secured during the entire end-to-end process, as well as maintaining separate secured copies of the source code.

"Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on," said a Google blog post.

Supply chain vulnerabilities are a common tool used by cyber criminals and many incidents begin with attackers exploiting newly discovered zero-day cybersecurity vulnerabilities. However, even if a security patch is provided, organisations can be slow rolling them out, making them vulnerable to attackers.

With the new offering, Google Cloud hopes to make managing open-source and supply chain vulnerabilities easier – therefore helping organisations of all sizes stay secure against cyberattacks.

"It's a way for every customer – it could be a two-person shop to a 100,000 employee bank – who leverages or builds code to rely on a curated set of open source packages that Google themselves have invested in to protect our own developers over many years, that we're now bringing to market in the form of this Assured Open Source package," said Potti.


Editorial standards