3rd Party Risk Management , Application Security , Governance & Risk Management
Google Unveils Service to Secure Open-Source Dependencies
Assured Open Source Software Ensures Software Is Fuzz-Tested for VulnerabilitiesGoogle plans to offer customers access to the same technology it uses to lock down developer workflows to ensure open-source dependencies are adequately safeguarded.
The Mountain View, California-based public cloud giant says Assured Open Source Software will allow enterprises and public sector clients to ensure third-party software they're using is scanned, analyzed and fuzz-tested for vulnerabilities. Assured OSS is expected to enter preview next quarter and will allow clients to tap into Google Cloud's managed service to secure open-source software in their environment (see: A $150 Million Plan to Secure Open-Source Software).
"We have taken a real hard look at how to get ahead of any digital supply chain problems so that we are not in the same position that we are in today on the physical supply chain," Google Cloud Vice President and General Manager Sunil Potti said during a press conference Monday. "We fundamentally believe the digital supply chain is going to be as big or bigger than the physical supply chain."
Open-Source Security for the Masses
Assured OSS allows customers of all sizes to rely on the technology that Google itself has invested in to protect its own developers, which Potti says features capabilities such as continuous fuzz testing, deep static code analysis and built-in remediation. Securing open-source software is vital to protecting the software supply chain since nearly every company on the planet is exposed to open-source software.
"Essentially, what we've done is found a way to package it in a much more enterprise-consumable fashion," Potti says. "We believe we are the industry's first player to actually productize this in the mainstream market … This is an industry-first offering to get ahead of digital supply chain problems."
Google has for many years had a core team responsible for open-source software rather than leaving it to different functional areas within the company. Potti says one of the team's responsibilities has been implementing a series of secure best practices around the open-source repository it maintains, such as next-generation fuzz testing and static code analysis for Java, Python, C and C++.
Potti says the company needed to find a scalable way to ensure that code hadn't been tampered with given the Google doesn't play any part in building 95% of open-source libraries. Google has also invested heavily in understanding dependencies to ensure the company is able to trace dependencies across open-source packages, identify the weakest link and determine whether or not it is suspect, Potti says.
"The hardest problem with open source is that there is no one single open-source package," Potti says. "It's actually a complex network of dependencies."
If the weakest link is suspect, Potti says, Google is able to follow the dependency all the way back up the tree and say everything it touched is also suspect. That is then built into a proper vulnerability database that can either feed into an upstream CI/CD pipeline vendor or a customer's homebuilt ecosystem, Potti says.
More Programming Languages on the Way
From day one, Assured OSS will target a certain set of core programming languages that are either heavily used or carry a high-risk profile. For instance, Potti says C++ has a low-risk profile given the constructs in place even though it's heavily used, while Java and Python have an extremely high-risk profile, as demonstrated by the Log4j zero-day vulnerability.
Assured OSS was developed as a simple service API that an enterprise can purchase and then log into and authenticate, Potti says. The service has self-support features as well as an enterprise support mechanism built in to ensure any issues customers are having with the OSS packages are promptly addressed, he says.
"What we have done is package technologies, processes and best practices into a turnkey offering," Potti says. "Hopefully, in six months, 12 months or 18 months, we can get to a significant piece of every enterprise's open-source repository."
Google plans to offer a native integration between Assured OSS and fast-growing application security vendor Snyk to reduce the possibility of deploying open-source software with critical vulnerabilities and more quickly identify the impact of any vulnerabilities. Snyk vulnerabilities, triggering actions, and remediation recommendations will become available to joint customers within Google Cloud security.
Potti says Google decided to collaborate with Snyk due to the presence it has upstream in the CI/CD pipeline, ensuring that vulnerability scans and remediation issues can be taken care of with a single click. The company plans to extend the same level of interoperability to Google infrastructure, third-party tools or GitHub repositories, according to Potti.
"If you're using GCP as an environment, than the integrations become much more seamless and much more tightly coupled, and there's a tight loop from our runtime back into our open-source vulnerability management," Potti says. "At the same time, like the example we talked about with Snyk, we'll also be interoperating with any of the customer's choice of tools for the development."
Putting Open-Source Security Front and Center
Google last week announced it is setting up a team to improve the security of critical open-source projects. The team, dubbed Open Source Maintenance Crew, will comprise Google engineers who will work with upstream maintainers to fulfil the goal, the company revealed at the Open Source Software Security Summit II in Washington, D.C.
The Open Source Maintenance Crew will help the company address the issue of "limited time," which is one of the most prominent issues for open-source maintainers in the company, who contribute to "tens of thousands" of open-source repositories each year. The new, dedicated team is expected to help eliminate the security risks that come with under-maintained, critical open-source components.
Google also recently unveiled another project - Google Cloud Datasets from Open Source Insights - to help developers better understand the structure and security of the software they use.
Google Cloud Datasets "provides access to critical software supply chain information for developers, maintainers and consumers of open-source software," Google says in a blog post. Open Source Insights shows companies a "dependency graph" that allows them to determine "whether a vulnerability in a dependency might affect your code," its website says.
The company will also improve its OSS-Fuzz service for open-source developers, which has helped researchers spot more than 2,300 vulnerabilities in about 500 projects over the past year.
Google has been heavily investing in expanding the scope of fuzzing by adding support for new languages, such as Java and Swift, and by developing bug detectors to find issues such as Log4shell.