Service crew

Google unveils service to secure open source dependencies

Third-party risk management , Application security , Governance and risk management

Assured Open Source Software guarantees that the software is tested by Fuzz for vulnerabilities

Michael Novinson (Michael Novinson), Brian Pereira (digital_belief) •
May 17, 2022

Source: Google

Google plans to offer customers access to the same technology it uses to lock down developer workflows to ensure open source dependencies are properly protected.

See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?


The Mountain View, Calif.-based public cloud giant says Assured Open Source Software will enable enterprises and public sector customers to ensure the third-party software they use is scanned, analyzed and fuzz-tested. to detect vulnerabilities. Assured OSS is expected to enter preview next quarter and will allow customers to leverage Google Cloud’s managed service to secure open source software in their environment (see: A $150 million plan to secure open source software).


“We looked very closely at how to anticipate any digital supply chain issues so that we are not in the same position we are in today on the physical supply chain,” Sunil Potti said. , vice president and general manager of Google Cloud. at a press conference on Monday. “We fundamentally believe that the digital supply chain will be as big or bigger than the physical supply chain.”


Open-source security for the masses


Assured OSS allows customers of all sizes to rely on technology that Google itself has invested in to protect its own developers, which Potti says offers features such as continuous fuzz testing, deep static code analysis and an integrated correction. Securing open source software is critical to protecting the software supply chain because nearly every business on the planet is exposed to open source software.


“Essentially what we’ve done is figure out a way to package it in a way that’s much more company-consumable,” Potti says. “We believe we’re the first player in the industry to actually bring this to the consumer market…This is an industry-first offering to get ahead of digital supply chain issues. “


Google has for many years had a central team responsible for open source software rather than leaving it to different functional areas within the company. Potti says one of the team’s responsibilities has been to implement a series of secure best practices around the open-source repository it manages, such as next-gen fuzz testing and static code analysis to Java, Python, C and C++.


Potti says the company needed to find a scalable way to ensure the code hadn’t been tampered with since Google has no role in building 95% of open source libraries. Google has also invested heavily in understanding dependencies to ensure that the company is able to trace dependencies between open source packages, identify the weakest link and determine if it is suspicious or not. Potti explains.


“The hardest problem with open source is that there isn’t just one open source package,” says Potti. “It’s actually a complex web of dependencies.”


If the weakest link is suspicious, Potti says, Google is able to follow the addiction all the way up the tree and say that everything it touched is also suspicious. This is then fed into an appropriate vulnerability database that can either feed into an upstream CI/CD pipeline vendor or a customer’s home-built ecosystem, Potti says.


More programming languages ​​on the way


From day one, Assured OSS will target a certain set of core programming languages ​​that are either heavily used or have a high risk profile. For example, Potti says that C++ has a low risk profile given the builds in place even though it is heavily used, while Java and Python have an extremely high risk profile, as demonstrated by the Log4j zero-day vulnerability.


Assured OSS was developed as a simple service API that a company can purchase, then log in and authenticate, Potti explains. The service has self-help features as well as a built-in enterprise support mechanism to ensure that any issues customers encounter with OSS packages are quickly resolved, he said.


“What we’ve done is bundle technologies, processes, and best practices into a turnkey offering,” says Potti. “Hopefully in six months, 12 months, or 18 months, we will be able to access a significant portion of each company’s open source repository.”


Google plans to offer native integration between Assured OSS and fast-growing application security vendor Snyk to reduce the possibility of deploying open-source software with critical vulnerabilities and identify the impact of any vulnerabilities more quickly. Snyk vulnerabilities, trigger actions, and remediation recommendations will be available to common customers as part of Google Cloud Security.


Potti explains that Google decided to work with Snyk because of its upstream presence in the CI/CD pipeline, ensuring that vulnerability scans and remediation issues can be resolved with a single click. The company plans to extend the same level of interoperability to Google infrastructure, third-party tools or GitHub repositories, according to Potti.


“If you’re using GCP as your environment, the integrations become a lot more seamless and a lot more tightly coupled, and there’s a tight loop between our runtime environment and our open source vulnerability management,” says Potti. “At the same time, like in the example we discussed with Snyk, we will also interoperate with any development tools the customer chooses.”


Put open source security first


Google announced last week that it was setting up a team to improve the security of critical open source projects. The team, dubbed the Open Source Maintenance Crew, will include Google engineers who will work with upstream managers to achieve the goal, the company revealed at the Open Source Software Security Summit II in Washington, DC.


The open source maintenance team will help the company solve the “limited time” problem, which is one of the most important problems for the company’s open source maintainers, who contribute “tens of thousands” of open source repositories each year. . The new dedicated team should help eliminate security risks related to undermaintained critical open source components.


Google also recently unveiled another project – Google Cloud Datasets from Open Source Insights – to help developers better understand the structure and security of the software they use.


Google Cloud Datasets “provides access to critical software supply chain information for developers, maintainers, and consumers of open source software,” Google explains in a blog post. Open Source Insights shows companies a “dependency graph” that helps them determine “if a vulnerability in a dependency could affect your code,” its website says.


The company will also improve its OSS-Fuzz service for open source developers, which has helped researchers find more than 2,300 vulnerabilities in about 500 projects over the past year.


Google has invested heavily in expanding the scope of fuzzing by adding support for new languages, such as Java and Swift, and developing bug checkers to find issues such as Log4shell.