Google Assured OSS: Cloud Service For Secure Open Source
Google has announced a cloud security product called Assured OSS. Which is short for ‘Assured Open Source Software service’. This new initiative by Google aims to secure the open-source software (OSS) supply chain.
Google says this is because cyber-criminals look for vulnerabilities like Log4j and Spring4shell. Hence creating disruption in key operations. It will evidently help enterprise and public sector users of open-source software.
It will be done by enabling easy incorporation of the same OSS packages that Google uses into their own developer workflows. Therefore results in better security.
How will Assured OSS help?
Firstly, Google says: that these packages curated by the Assured OSS service are regularly scanned and analyzed for vulnerabilities. It is built with Cloud Build including verifiable SLSA-compliance. These are also verifiably signed by Google
Although, According to Google. They continue to be one of the largest maintainers, contributors, and users of open source. Hence the company is deeply involved in helping to make the open-source software ecosystem more secure. This new Google Cloud product is going to bring a revelation.
The image from Google shows many stages of the software supply chain for an open-source dependency. Different enterprises have different entry points to this lifecycle. Some make their own packages while others pull packages from repos that they trust.
Google’s extensive security experience combined with Assured OSS will be quite helpful. Since reducing an organization’s need to develop, maintain, and operate complex processes to secure their open source dependencies is the goal here. You can check further details on google’s blog.
The company also explained the benefits of Assured OSS. It allows enterprises and customers to directly benefit from it. The in-depth, end-to-end security capabilities and practices they apply to their own OSS portfolio by providing access to the same OSS packages that Google depends on.