According to a 2023 study by Synopsys, 84% of open source software codebase contains at least one known vulnerability, and 48% contained a high risk vulnerability.
Google launched Assured OSS in May 2022 as a response to the rapid growth in cyberattacks aimed at open source suppliers. According to industry sources, a 650% surge in software supply chain attacks took place in 2021, when the use of Open Source Software increased dramatically. Google positioned itself as a "long time contributor, maintainer, user of open source software" and has "developed a robust set of technology, processes, security capabilities and controls" to protect the integrity of OSS.
OSS proliferation, increasing reliance on microservices and cloud data services, the multilayered aspect of cyberattacks and gaps in standardization are just some of the reasons that made Open Source Software a ripe target for cyberattacks. In response to these threats, Google Cloud will be making its Assured Open Source Software service for Java and Python ecosystems available at no cost. The Assured OSS gives organizations access to Google-vetted codebase packages that Google uses in its workflow.
This move comes on the back of Google's decision to offer it's Project Shield DDoS defense to government sites, news, and independent journalists as a response to the rise in politically motivated DDoS attacks.
Google's Assured OSS environment scans, analyses and fuzz tests (using invalid, random or unexpected input to expose irregular behaviour) code packages regularly to identify vulnerabilities. Additionally, enriched metadata that incorporates Container/Artifact analysis data. This basically allows developers to have access to details regarding code dependencies, licensing and other attributes that are useful for understanding the package's contents and how it relates to other software components in a larger system. Additionally, enriched metadata can be used to identify security vulnerabilities in code.
Additionally, Google verifiably signs these code packages and are distributed from an artifact registry secured and protected by Google, which additionally provides another layer of security and trust in the used dependencies. Securing codebases means addressing potential points of entry for attackers, and also identifying unexpected weaknesses.
Google's Assured OSS program provides organizations with a trusted source for open source software (OSS) packages, including a software bill of materials (SBOMs) that details the package's contents. The program focuses specifically on 1,000 Java and Python packages and aims to simplify the process of securing OSS for DevOps teams by reducing the need for them to establish their own security workflows.
By using advanced security testing methods such as fuzz testing and metadata analysis, Google is able to provide assurance that the packages in the program have undergone rigorous security checks. This approach could be a sign of things to come in the software industry, particularly for companies in highly regulated industries, as security testing of dependencies becomes increasingly important. Overall, the Assured OSS program helps to ensure that organizations can trust the OSS packages they use in their software products.
Google has strict criteria for determining which packages meet their standards, and for those that do, they are essentially vouching for their quality and security by making them available through their program. In addition, Google provides evidence of the extensive vetting process that these packages undergo, which helps to instill confidence in developers and users who rely on these components. By endorsing these packages and providing proof of their efforts, Google is helping to raise the overall level of trust and security in the open source community.
Other Posts you might be interested in:
Microsoft addressed a data exposure incident stemming from AI researchers inadvertently sharing open-source training data on GitHub, leading to the exposure of 38TB of private information. The swift mitigation measures highlight the importance of secure data practices in the context of AI-driven initiatives.
Read More
Amidst economic uncertainties and budget constraints, SMEs struggle with complex tech stacks, compliance obligations, and a severe skills shortage, prompting the consideration of Security Operations Centers (SOCs) and Managed Service Providers (MSPs) as crucial solutions to enhance their cybersecurity defenses."
Read More
Microsoft and HPE faced separate breaches by the state-sponsored threat group Midnight Blizzard, with the latter's attack involving data theft from HPE's cloud-based email environment. Both incidents were initiated through password spray attacks, emphasizing the need for organizations to implement multifactor authentication and robust security measures. The challenges posed by nation-state actors underscore the importance of thorough incident response plans and heightened security standards to adapt to the evolving threat landscape.
Read More