Google to Distribute a Security-Controlled Collection of Open-Source Software Libraries

Google announced on Tuesday a new initiative aimed at securing its open source software supply chain by managing and distributing a security-controlled collection of open source packages to Google Cloud customers.

The new service, called Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed out some of the challenges of securing open source software and emphasized Google’s commitment to open source.

“The developer community, businesses and governments are increasingly aware of the risks of the software supply chain,” Chang wrote, citing last year’s major log4j vulnerability as an example. “Google remains one of the largest administrators, contributors and users of open source and is deeply involved in making the open source software ecosystem more secure.”

According to Google’s announcement, the Assured Open Source Software service will extend the benefits of Google’s own comprehensive software audit experience to Cloud customers. All open source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.

Currently, a list of the 550 major open source libraries under constant review by Google available on GitHub† While these libraries can all be downloaded independently from Google, controlled versions of the Assured OSS program will be distributed through Google Cloud. This prevents incidents where developers intentionally or unintentionally corrupt commonly used open source libraries. Currently, this service is in early access mode and is expected to be available for wider customer testing in Q3 2022.

Google’s announcement comes as part of an industry-wide effort to improve the security of its open-source software supply chain and one that has also been supported by the Biden administration.

In January, a group of some of the nation’s largest tech companies met with representatives from federal agencies, including the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. to discuss open source software security in the wake of the log4j bug. Since then, a recent meeting of the concerned companies has resulted in a pledge of over $30 million in funding to improve the security of open source software.

In addition to contributing to funding, Google also spends engineering hours keeping the supply chain secure. The company recently announced the creation of a “Open Source Maintenance Team” that would work with the administrators of popular libraries to improve security.