Worried about the security of your code's dependencies? Try Google's Deps.dev
Is this what the kids mean by owning the libs?
In early 2002, then Microsoft chairman Bill Gates issued his Trustworthy Computing memo to ensure that computing "is as available, reliable and secure as electricity, water services and telephony."
Two decades later, utilities and public infrastructure in the US are generally available but could be more reliable and more secure, and Windows, like other major operating systems, still falls short of Gates's goal. The vulnerabilities in the software – open source and proprietary – continue to plague computing. And as computing devices proliferate, so too do the potential consequences of compromised code.
This has become a matter of national concern. The White House issued its own directives last year, spurred on by damaging security incidents like Log4Shell and the SolarWinds cyberattacks. It has become clear that the volunteerism that makes so much open source code available needs to be supported, in terms of financing, security, and coordination, in order to ensure the availability, reliability, and security of computers and all the products and infrastructure that rely on them.
On Tuesday, Google – which has answered the government's call to secure the software supply chain with initiatives like the Open Source Vulnerabilities (OSV) database and Software Bills of Materials (SBOMs) – announced an open source software vetting service, its deps.dev API.
The API, accessible in a more limited form via the web, aims to provide software developers with access to security metadata on millions of code libraries, packages, modules, and crates.
By security metadata, Google means things like: how well maintained a library is, who maintains it, what vulnerabilities are known to be present in it and whether they have been fixed, whether it's had a code review, whether it's using old or new versions of other dependencies, what license covers it, and so on. For example, see the info on the Go package cmdr and the Rust Cargo crate crossbeam-utils.
The API also provides at least two capabilities not available through the web interface: the ability to query the hash of a file’s contents (to find all package versions with the file) and dependency graphs based on actual installation rather than just declarations.
"Software supply chain attacks are increasingly common and harmful, with high profile incidents such as Log4Shell, Codecov, and the recent 3CX hack," said Jesper Sarnesjo and Nicky Ringland, with Google's open source security team, in a blog post. "The overwhelming complexity of the software ecosystem causes trouble for even the most diligent and well-resourced developers."
- Python head hisses at looming Euro cybersecurity rules
- April Patch Tuesday: Ransomware gangs already exploiting this Windows bug
- Outage rates fall, but major ones will cost more. Oh and don't bank on SLAs
- The npm registry's safe word is Socket
In its 2022 M-Trends report, Google's Mandiant said that 17 percent of all security breaches begin with a supply chain attack. The ad giant is no doubt hoping this can be cut with the new API.
Developers can query the API to look up a dependency's records, with the returned data available programmatically to CI/CD systems, IDE plugins that present the information, build tools and policy engines, and other development tools.
Sarnesjo and Ringland say they hope the API helps developers understand dependency data better so that they can respond to - or prevent - attacks that try to compromise the software supply chain.
There are already hundreds of software supply chain tools and projects, but the more the merrier. Judging by the average life expectancy of Google services, the deps.dev API should be available for at least four years.
Along similar lines, Google Cloud on Wednesday nudged its Assured Open Source Software (Assured OSS) service for Java and Python into general availability. Assured OSS involves mirrored repositories of more than 1,000 popular software packages like TensorFlow, Pandas, and Scikit-learn that get scanned for vulnerabilities and get signed to prevent any tampering.
Assured OSS, according to Andy Chang, group product manager for security and privacy, has led Google to be the first to identify almost half (48 percent) of new vulnerabilities in the initial curated set of 278 packages. ®