The OSS service is being offered for free to Java and Python developers.
In a move to improve the security of the most widely used open-source software, Google Cloud this week announced that it is making its Assured Open Source Software service generally available for Java and Python ecosystems.
Andy Chang, Google’s Group Product Manager for Security & Privacy, detailed the new initiative in a blog post. “Available today at no cost, Assured OSS gives any organization that uses open source software the opportunity to leverage the security and experience Google applies to open source dependencies by incorporating the same OSS packages that Google secures and uses into their own developer workflows”, he writes.
Threats to the software supply chain and open source software (OSS) security continue to be major areas of concern for organizations creating apps and their developers, Chang notes. Indeed, he goes on to point out that, according to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack, the initial infection vector second only to exploits.
What Assured OSS offers
Using Assured OSS, organizations can obtain their OSS packages from a trusted and known supplier, Chang writes. They can also know more about their ingredients with Assured SBOMs provided in industry standard formats like SPDX and VEX.
Assured OSS will also help reduce risk, he adds. This is because “Google is actively scanning, finding, and fixing new vulnerabilities in curated packages”. Developers can thus “increase confidence in the integrity of the ingredients they’re using through signed, tamper-evident provenance”.
Chang goes on to say that the service is available for 1,000 of the most popular Java and Python packages, “including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn”.
“There are significant security benefits to Assured OSS adopters and the larger community from the curation process”, Chang continues. “Since our Assured OSS team curated the first 278 packages, we have been the first to find 48% of the new vulnerabilities (CVE) — each of these CVEs has been fixed and upstreamed”, he adds.