Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure through efforts including the Open Source Security Foundation (OpenSSF), Open Source Vulnerabilities (OSV) database, and OSS-Fuzz. Last week, Google joined the OpenSSF, Linux Foundation, and industry leaders for a meeting to advance the open source software security initiatives discussed during January’s White House Summit on Open Source Security.

Announcing Assured Open Source Software

To further our commitment to help organizations strengthen their OSS software supply chain, we are announcing today a new Google Cloud product: our Assured Open Source Software service. Assured OSS enables enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows. Packages curated by the Assured OSS service:

• are regularly scanned, analyzed, and fuzz-tested for vulnerabilities
• have corresponding enriched metadata incorporating Container/Artifact Analysis data
• are built with Cloud Build including evidence of verifiable SLSA-compliance
• are verifiably signed by Google
• are distributed from an Artifact Registry secured and protected by Google

As a result, Assured OSS lets organizations benefit from Google’s extensive security experience and can reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies. Assured OSS is expected to enter Preview in Q3 2022.

Announcing Google Cloud and Snyk collaboration

In addition, today Google Cloud and Snyk are announcing their intent to collaborate to further help developers understand the risk and impact of their open source dependencies, and use Assured OSS to help reduce their risk. Specifically:

• Assured OSS will be natively integrated into Snyk solutions for joint customers to use wherever they are developing code.
• Snyk vulnerabilities, triggering actions, and remediation recommendations will become  available to joint customers within Google Cloud security and software development life cycle tools to enhance the developer experience.

The collaboration can help developers reduce the possibility of deploying open source software with critical vulnerabilities, more quickly identify associated impact of vulnerabilities,  better eliminate new threat exposures, and increase automation of their remediation activities.

What goes into the Assured OSS Service

The figure above details the many stages of the software supply chain for an open source dependency. Enterprises have widely different entry points to this lifecycle – some organizations may build packages from source themselves, while others pull packages from repos that they trust.

A few organizations including Google centralize control and actively secure each step of the end-to-end process. In our case, we start by maintaining separate secured copies of the source code for our dependencies and perform our own vulnerability scanning. We continuously fuzz 550 of the most commonly-used open source projects, and as of January 2022 have found more than 36,000 vulnerabilities. This makes us one of the largest contributors to the OSV.

We then manage an end-to-end build, deploy, and distribution process that includes integrated integrity, provenance, and security checks. Based on our internal security practices, we have created the SLSA framework to enable organizations to assess the maturity of their software supply chain security and understand key steps to progress to the next level.

We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program. Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources. However, the lack of an end-to-end process creates risk exposure each step of the way.

Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on. Users will also be able to submit packages from their own OSS portfolio to be secured and managed through the Google Cloud managed service.

Take the next step

We are excited to partner with you to help manage your use of OSS in your enterprise development workflows. Our collaboration with Snyk will help further simplify and secure cloud migrations and application modernization for developers, especially on Google Cloud.

To learn more about Assured OSS and get started, please fill out this interest form.