Home SecurityApplication Security Google to launch repository service with security-tested versions of open-source software packages

Google to launch repository service with security-tested versions of open-source software packages

Source Link

Developers across the enterprise space are concerned about the security of the open-source software supply chain which they heavily depend on for their application development. In response, Google plans to make its own security-hardened internal open-source component repository available as a new paid service called Assured Open Source Software (Assured OSS).

The service will contain common open-source packages that have been built from source code after the code’s provenance and that of its dependencies has been vetted and the code has been reviewed and tested for vulnerabilities. The resulting packages will contain rich metadata that’s compliant with the new Supply chain Levels for Software Artifacts (SLSA) framework and will be digitally signed by Google.

According to Eric Brewer, Google Cloud’s vice president of infrastructure, the company already maintains its own internal security-tested versions of many open-source packages for its own software development pipeline, so the basics for the new service were already there.

Announced today, the new service will only be available to select customers for early access testing and is expected to enter a public preview stage in Q3 2022. Pricing is not yet decided, though it will be a paid service to offload the infrastructure costs associated with building and hosting the packages as well as the security testing, which includes automated fuzz-testing with over 100,000 cores.

The service will start out with a collection of around 500 Java and Python packages that Google uses, but it will be expanded in the future to cover other programming languages. Customers will also be able to submit any open-source packages they rely on to be added and managed through the repository and receive the same security assurance treatment as the existing ones.

Maintaining local software components not easy

Google’s approach is what all organizations that develop software should be doing already to address some of the supply-chain risks, which are to maintain local copies of the components they use in their local repositories instead of pulling them directly from the public repositories. This would give them a buffer in case one of the packages or its dependencies is compromised and poisoned with malicious code.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment