Google has a plan to secure software supply chains • The Register


Google has a plan — and a new product plus a partnership with developer-focused security store Snyk — that tries to make it easier for companies to secure their open-source software dependencies.

The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We’re told it will initially focus on certain Java and Python packages that Google’s own developers prioritize in their workflows.

Both of these programming languages ​​have “particularly high-risk profiles,” said Sunil Potti, vice president and general manager of Google Cloud Cloud, in response to The register‘s questions. “Do you remember Log4j?” Yes, quite strongly.

The cloud giant plans to add more packages each quarter, prioritizing support for new packages and languages ​​requested by its customers, and a preview of the service will be available later this year.

All packages curated by the Assured OSS service will be regularly scanned, analyzed and fuzz-tested for vulnerabilities. Additionally, they have corresponding rich metadata incorporating Container/Artifact Analysis data and are built with cloud buildingwhich verifies that the code conforms to the SLSA standard (Supply chain Levels for Software Artifacts) – this is Google’s framework for ensuring the integrity of software artifacts throughout the software supply chain.

SLSA is based on its internal Binary authorization for Borgthat Googlers have been using for nearly a decade and is required for all production workloads in the company.

Additionally, Assured OSS packages will be signed by Google and distributed from a Google-managed vendor. Artifact Registry.

The new service is based on internal tools and best practices that Google has “invested heavily” in over the past few years to secure its own open source software dependencies, Potti told reporters at a press conference.

“We need to have a scalable way to make sure certain aspects of the code have been validated before it even enters the pipeline,” he said.

For example: fuzz testing is one such area that Google has injected significant dollars and engineering into, he added. It is an automated software testing technique that scans for vulnerabilities by randomly injecting invalid or unexpected inputs into a system to find coding errors.

Google claims to constantly fuzz 550 of the most commonly used open source projects. In January, he found more than 36,000 vulnerabilities by fuzzing.

With Assured OSS, the cloud company has taken these internally developed technologies and processes “and we’ve integrated them into a turnkey offering,” Potti said. “A company points its open source repository to Google’s Assured Open Source repository,” and the new security service does all the scanning, patching and other heavy lifting, he claimed.

“This is an industry-first offering to get ahead of digital supply chain issues,” Potti said, adding that “we fundamentally believe the digital supply chain is going to be as big or bigger.” greater than the physical supply chain” challenges businesses are currently facing. , including the shortage of chips.

As proof, Google sites the open source software analysis company Sonatype, which reported a 650% increase year over year in cyberattacks targeting open source software vendors from 2020 to 2021. And 84% of commercial codebases have open source software vulnerabilities, according to Synopsis.

Snyk becomes first Assured OSS Partner

“We’re not just doing it on our own, but we’ll be doing it with a variety of partners,” Potti added, noting that Snyk is the first such partner. This collaboration will see Assured OSS natively integrated into Snyk’s software for joint customers to use when developing code.

As Snyk’s software finds vulnerabilities, Google Cloud will recommend fixes for those bugs earlier in the development lifecycle with the goal of finding and fixing them before they hit an environment. of production.

Google’s new service follows several other recent efforts announced by the cloud giant to improve supply chain security.

Last week, following a White House meeting on open source software security, Google and a handful of other big tech companies announced a commitment of more than $30 million to implement a plan. aimed at improving the security of the open source software supply chain.

In addition to funding, Google announcement its “Open Source Maintenance Team”. This dedicated team of Google engineers will work with upstream maintainers to improve the security of open source projects. ®


Comments are closed.