Google Cloud’s open-source security bolstered with Assured OSS general roll-out

Assured OSS

Google Cloud has announced that its Assured Open Source Software (OSS) service is now available for Java and Python ecosystems, taking aim at the security issues surrounding some of the most widely used open-source software.

Following a high level of interest from customers at public previews last year, Google Cloud’s Assured OSS packages are ready from today at no cost to users, and will allow organizations to use the same software that Google uses across its own developer workflows and open-source dependencies.

Organizations can choose from over a thousand of the most popular Java and Python ecosystem packages using a trusted supplier, understand and have confidence in the integrity of their OSS ingredients and reduce overall risk as Google actively scans for vulnerabilities.

Assured OSS guards against risks by continuously mirroring key external ecosystems to manage end-to-end security without creating forks. The integrity of the mirrored repos and end-to-end build tool chain is also managed with tamper-evident provenance. It also continuously scans for, fuzz tests, and fixes critical vulnerabilities and operates a critical patching team to support covered packages.

Following the curation of the first 278 packages, Google Cloud has been the first to find 48 percent of the new vulnerabilities as part of the CVE Program, and fix and upstream them.

Jon Meadows, managing director and Citi Tech Fellow, cyber security at Citi said, “Citi has been an advocate and active leader in the industry’s efforts to secure enterprise software supply chains. Both Citi and Google see untrusted and unverified open-source dependencies as a key risk vector. This is why we’ve been excited to be an early adopter of Google Cloud’s new Assured OSS product. Assured OSS can help reduce risk and protect open-source software components commonly used by enterprises like us.”

Melinda Marks, senior analyst at Enterprise Strategy Group, said, “As organizations increasingly utilize OSS for faster development cycles, they need trusted sources of secure open-source packages.

“Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications.”