Google Cloud Aims to Share Its Vetted Open-Source Ecosystem

The online giant Google analyzes, patches, and maintains its own versions of open-source software, and now the company plans to give others access to its libraries and components as a subscription.

Developers who want to benefit from Google’s security efforts will soon be able to subscribe to a service that allows developers to use open source components that they know have been vetted and patched for security issues by Google’s developers.

The service, dubbed Assured Open Source Software (OSS), provides versions of popular open-source packages that are scanned frequently, augmented by metadata created by code analysis, and comply with the nascent Supply chain Levels for Software Artifacts (SLSA) framework, and are signed by Google. 

In many ways, the service is similar to the curated Linux distributions maintained by companies such as Red Hat and Ubuntu, says Eric Brewer, vice president of infrastructure for Google Cloud and a Google Fellow.

“The idea of having a curated version is not new per se, but it is just more important than ever,” he says. “Plus, we wanted to show that it is important to actually do the provenance, do the metadata, do the scanning, do the fuzzing, build it from the source — and sign it. That’s the right way to do it.”

The announcement of the new service comes a week after the Linux Foundation and the Open source Software Security Foundation, along with the support of nearly 40 companies, released a plan for securing open-source software. That effort is focused on 10 separate initiatives in three broad areas: securing open source production, improving vulnerability discovery and remediation, and speeding patch cadence.

While Google is a major sponsor of the effort and has provided technology and specifications for a myriad of security-focused efforts — such as Security ScorecardsAllStars, and the Alpha Omega Project — Assured OSS will eventually be a paid, commercial service, Brewer says.

“Last week was about the community focus,” Brewer says. “But you … [also] need a lot of private investment from many different companies to make these things better, easier to use, and you also need — especially for the critical core stuff — you need a lot of industry cooperation.”

Scanning, Fuzzing and Checking on 100K Cores
While most companies maintain their own package management system as a private repository, Google’s level of vetting and security testing is significant when looking at the numbers.

The company has an end-to-end process that includes continuous fuzzing of more than 500 of the most popular packages, using a massive infrastructure based on 100,000 processor cores, Google stated in a blog post announcing the Assured OSS service. The company also provides software bill of materials (SBOM) and supply chain integrity checking through the SLSA framework.

The Assured OSS framework will also natively integrate with software-security analytics firm Snyk.

“We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program,” Google Cloud stated in its blog post. “Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources.” Read more:

You can also read this: Are You Investing in Securing Your Data in the Cloud?

Leave a Reply

Your email address will not be published. Required fields are marked *