Google To Start Distributing Secured Open-Source Software Libraries

Today, Google launches a new security feature. The new initiative is aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers. 

The new service introduced in a blog post has been branded Assured Open Source Software. In the blog post, Andy Chang, group product manager for security and privacy at Google Cloud, highlighted some of the challenges faced by securing open-source software and also stressed Google’s continuous commitment to securing open source.

In the blog post, Chang wrote that “There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks.” Chang cites a major vulnerability – log4j from last year as an example. He further wrote that “Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open-source software ecosystem more secure.”

Google has disclosed that the Assured Open Source Software service will give enterprises and government users access to the same vetted open-source packages that Google itself uses in its projects. According to the company, these packages are regularly scanned, analyzed, and fuzz-tested for vulnerabilities and built with Google Cloud’s Cloud Build service with evidence of SLSA-compliance (that’s ‘Supply-chain Levels for Software Artifacts,’ a framework for safeguarding artifact integrity across software supply chains). 

A list of the 550 major open-source libraries reviewed by Google is available on GitHub, the list will continue to be reviewed. While these libraries can all be downloaded independently, the Assured OSS program will see to the distribution of audited versions through Google Cloud — to mitigate incidents where developers intentionally or unintentionally corrupt widely used open-source libraries. At the moment, this service remains in the early access mode and is expected to be available to a wider customer range for testing by Q3 2022.

The new service announcement comes at a time when there is a wide industry drive to see to the improvement of the security of the open-source software supply chain. This drive has also enjoyed the support of the Biden administration.

Earlier in the year 2022, a handful of the nation’s largest tech companies held a meeting with representatives of the US federal agencies, this includes the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. The meeting focused on a discussion around open-source software security in the wake of the log4j bug. A recent meeting of the companies involved also resulted in a pledge of more than $30 million in funding to boost open-source software security. Asides from the provision of funds, Google has also committed to putting engineering hours to work towards ensuring the supply chain is secure. Google recently announced the formation of an “Open Source Maintenance Crew” that would work with the maintainers of popular libraries for improved security.