Google assuring open-source code to secure software supply chains

Java and Python packages are the first on the list


Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

The cloud giant plans to add more packages each quarter, prioritizing support for new packages and languages that its customers request, and a preview of the service will be available later this year.

All of the packages curated by the Assured OSS service will be regularly scanned, analyzed and fuzz-tested for vulnerabilities. Additionally, they have corresponding enriched metadata incorporating Container/Artifact Analysis data and are built with Cloud Build, which verifies the code complies with SLSA (Supply chain Levels for Software Artifacts) — this is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain. 

SLSA is based on its internal Binary Authorization for Borg, which Googlers have used for almost a decade and is mandatory for all of the company's own production workloads.

Additionally, Assured OSS packages will be signed by Google and distributed from a Google-managed Artifact Registry

The new service is based on internal tools and best-practices that Google has "invested heavily" in over the past several years to secure its own open source software dependencies, Potti told reporters during a press conference. 

"We have to have a scalable way for us to really ensure that certain aspects of the code have been validated even before it goes into the pipeline," he said. 

For example: fuzz testing is one of these areas into which Google has pumped significant dollars and engineering, he added. This is an automated software testing technique that scan for vulnerabilities by randomly injected invalid or unexpected inputs into a system to find coding errors.

Google claims to continuously fuzz 550 of the most commonly used open source projects. As of January, it has found more than 36,000 vulnerabilities by fuzzing.

With Assured OSS, the cloud company took these internally developed technologies and processes "and we have packed them into a turnkey offering," Potti said. "An enterprise points their open source repo to the Assured Open Source repo from Google," and the new security service does all the scanning, remediation and other heavy lifting, he claimed.

"It's an industry-first offering to get ahead of the digital supply chain problems," Potti said,  adding that "we fundamentally believe that digital supply chain is going to be as big or bigger than the physical supply chain" challenges that companies currently face, including the chip shortage. 

As proof, Google sites open source software scanning company Sonatype, which reported a 650 precent year-over-year increase in cyberattacks aimed at open source software suppliers from 2020 to 2021. And 84 percent of commercial code bases have open-source software vulnerabilities, according to Synopsys.

Snyk signs on as first Assured OSS partner

"We're not doing this not just by ourselves, but we will do this with a variety of partners," Potti added, noting that Snyk is the first such partner. This collaboration will see Assured OSS natively integrated into Snyk's software for joint customers to use when developing code.

As Snyk's software finds vulnerabilities, Google Cloud will recommend remediations for these bugs earlier in the development lifecycle with the aim of finding and fixing them before it reaches a production environment.

Google's new service follows several other recent efforts that the cloud giant has announced to improve supply chain security.

Last week, following a White House meeting on open source software security, Google and a handful of other big tech companies announced a $30-million-plus commitment to implement a plan to improve open-source and software supply chain security. 

In addition to the funding, Google announced its "Open Source Maintenance Crew." This dedicated staff of Google engineers will work with upstream maintainers to improve the security of open-source projects. ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022