{"id":88908,"date":"2023-04-13T13:48:38","date_gmt":"2023-04-13T13:48:38","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4065568"},"modified":"2023-04-13T13:48:38","modified_gmt":"2023-04-13T13:48:38","slug":"google-cloud-offers-assured-open-source-software-for-free","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88908","title":{"rendered":"Google Cloud offers Assured Open Source Software for free"},"content":{"rendered":"<figure id=\"attachment_4065578\" aria-describedby=\"caption-attachment-4065578\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4065578\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/04\/google-cloud-offers-assured-open-source-software-for-free.png\" alt=\"A shield and lock on a vector of the world.\" width=\"770\" height=\"315\"><figcaption id=\"caption-attachment-4065578\" class=\"wp-caption-text\">Image: Google<\/figcaption><\/figure>\n<p>Open source software and software supply chain security risks continue to be a primary concern for developers and organizations. According to a 2022 <a href=\"https:\/\/news.synopsys.com\/2023-02-22-Synopsys-Study-Underscores-Need-for-Comprehensive-SBOM-as-Best-Defense-in-Software-Supply-Chain-Security\" target=\"_blank\" rel=\"noopener noreferrer\">study<\/a> by electronic design and automation company Synopsys, 84% of open source software codebases contained at least one known vulnerability \u2014 a nearly 4% increase from last year \u2014 and 48% contained a high-risk vulnerability.<\/p>\n<p>In response to the threats hidden in open source software, Google Cloud is making its<a href=\"https:\/\/cloud.google.com\/assured-open-source-software\" target=\"_blank\" rel=\"noopener noreferrer\"> Assured Open Source Software<\/a> service for Java and Python ecosystems available to all at no cost. The free Assured OSS gives any organization access to Google-vetted codebase packages that Google uses in its workflows.<\/p>\n<p>The move comes on the heels of Google Cloud\u2019s <a href=\"https:\/\/www.techrepublic.com\/article\/google-launches-project-shield\/\">decision<\/a> to offer its Project Shield distributed denial-of-service (DDoS) defense to government sites, news and independent journalists, sites related to elections and voting and sites that cover human rights \u2014 a response to the rise in politically motivated DDoS attacks.<\/p>\n<p><strong>SEE<\/strong>: <strong>What DevSecOps means for securing the <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/devsecops-security-software-cycle\/\"><strong>software lifecycle<\/strong><\/a>.<\/p>\n<h2>Assured OSS, a walled garden for open-source codebases<\/h2>\n<p>Google <a href=\"https:\/\/cloud.google.com\/blog\/products\/identity-security\/introducing-assured-open-source-software-service\" target=\"_blank\" rel=\"noopener noreferrer\">launched<\/a> Assured OSS in May of 2022 in part to address the rapid growth in cyberattacks aimed at open source suppliers, according to Andy Chang, group product manager, security and privacy at Google. He cited industry sources reporting a 650% surge in software supply chain attacks in 2021, when the use of OSS <a href=\"https:\/\/www.sonatype.com\/hubfs\/Q3%202021-State%20of%20the%20Software%20Supply%20Chain-Report\/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us\" target=\"_blank\" rel=\"noopener noreferrer\">increased dramatically<\/a>.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>He told TechRepublic that since the company first announced and launched Assured OSS, it intended that the service be able to meet DevSecOps teams and developers where they are today with the pipeline and tooling they already use and leverage daily.<\/p>\n<p>\u201cSoftware supply chain attacks targeting open source continue to increase. Secure ingest of open source packages is a widespread challenge for organizations and developers wherever they choose to build code,\u201d he said. \u201cGoogle is uniquely positioned to help in this area as we are a long time contributor, maintainer, user of open source software and have developed a robust set of technology, processes, security capabilities and controls.\u201d<\/p>\n<p>He articulated four key elements behind the increase in attacks:<\/p>\n<ul>\n<li>OSS proliferation<\/li>\n<li>The increasing pace of deployments, especially with the trend driving containers, microservices and an increasing number of cloud data services.<\/li>\n<li>Many attack vectors attacking all layers of the stack: hardware, infrastructure systems, operating systems, middleware, app services, APIs and \u2014 the most vulnerable point of entry \u2014 humans.<\/li>\n<li>Gaps in standardization around tooling needed to holistically manage the product cycle and in security and risk information (<strong>Figure A<\/strong>).<\/li>\n<\/ul>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4065579\" aria-describedby=\"caption-attachment-4065579\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4065579\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/04\/google-cloud-offers-assured-open-source-software-for-free-15.png\" alt=\"Elements fueling increasing frequency of supply chain attacks.\" width=\"770\" height=\"304\"><figcaption id=\"caption-attachment-4065579\" class=\"wp-caption-text\">Image: Google Cloud. Elements fueling increasing frequency of supply chain attacks.<\/figcaption><\/figure>\n<p>Mike McGuire, senior software solutions manager at Synopsys, explained that Google has a direct interest in the open source community being as secure as possible.<\/p>\n<p>\u201cThe open source community really is just that \u2014 a \u2018community\u2019 that best operates when its members don\u2019t just take, but also contribute, and Google has always supported that with their actions,\u201d he said. \u201cGoogle clearly has many tools, processes and frameworks in place to ensure the integrity of their dependencies and development pipeline, so they are simply sharing the fruit of those efforts out to the broader community.\u201d<\/p>\n<p>He added that Google is working to build up their cloud-native application development platform, \u201cAnd that platform is all the more valuable when using it means having to worry less about complicated software supply chain threats.\u201d<\/p>\n<h2>Features of Assured OSS<\/h2>\n<p>Google said the code packages that are available as part of Google\u2019s Assured OSS program:<\/p>\n<ul>\n<li>Are regularly scanned, analyzed, and fuzz-tested for vulnerabilities.<\/li>\n<li>Have corresponding enriched metadata incorporating <a href=\"https:\/\/cloud.google.com\/artifact-registry\/docs\/analysis\" target=\"_blank\" rel=\"noopener noreferrer\">Container\/Artifact Analysis<\/a> data.<\/li>\n<li>Are built with <a href=\"https:\/\/cloud.google.com\/build\" target=\"_blank\" rel=\"noopener noreferrer\">Cloud Build<\/a>, including evidence of verifiable SLSA-compliance.<\/li>\n<li>Are verifiably signed by Google.<\/li>\n<li>Are distributed from an <a href=\"https:\/\/cloud.google.com\/artifact-registry\" target=\"_blank\" rel=\"noopener noreferrer\">Artifact Registry<\/a> secured and protected by Google.<\/li>\n<\/ul>\n<h2>Securing codebases from fuzz testing to SLSA compliance<\/h2>\n<p>Securing codebases means addressing potential ports of entry for attackers and also crash testing software for so-called corner cases, or weaknesses in unexpected areas.<\/p>\n<p>McGuire said Google has rigorous standards when it comes to which packages they trust, and for those that they do, they are essentially endorsing them to the public and providing proof of their efforts in vetting these components.<\/p>\n<p>\u201cAssured OSS clearly provides value to organizations looking for guidance on which packages are trustworthy within the sprawling open source universe,\u201d he said. \u201cBut it\u2019s important that they also have the tools in place to keep problematic components from entering their development pipeline, as well as continuously monitor previously trustworthy components for any newly discovered issues.\u201d (<strong>Figure B<\/strong>)<\/p>\n<p><strong>Figure B<\/strong><\/p>\n<figure id=\"attachment_4065580\" aria-describedby=\"caption-attachment-4065580\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4065580\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/04\/google-cloud-offers-assured-open-source-software-for-free-16.png\" alt=\"Vulnerabilities in the software development lifecycle.\" width=\"770\" height=\"383\"><figcaption id=\"caption-attachment-4065580\" class=\"wp-caption-text\">Image: Google. Vulnerabilities in the software development lifecycle.<\/figcaption><\/figure>\n<h3>Fuzz testing<\/h3>\n<p>Chang explained that fuzz testing, aka \u201cfuzzing,\u201d uses invalid, unexpected or random inputs to expose irregular behavior such as memory leaks, crashes or undocumented functionality.<\/p>\n<h3>Salsa for software<\/h3>\n<p>The SLSA \u2014 \u201csupply chain levels for software artifacts,\u201d pronounced \u201csalsa\u201d \u2014&nbsp; framework adds a level of assurance to the software development lifecycle. \u201cToday, software developers are challenged to make informed decisions about the external software they bring into their own systems,\u201d said Chang. \u201cEspecially if it is owned and operated by a third party.\u201d<\/p>\n<p>He said SLSA formalizes the criteria around software supply chain integrity and helps businesses take incremental steps toward a more secure software supply chain by adding more security guidelines to address the most common threats across the landscape today.<\/p>\n<p>\u201cWhen software is provided at an assured and attested SLSA level, customers know upfront which risks have already been mitigated by the provider,\u201d he explained.<\/p>\n<p>\u201cSimply put, SLSA is a framework <a href=\"https:\/\/cloud.google.com\/blog\/products\/application-development\/google-introduces-slsa-framework\" target=\"_blank\" rel=\"noopener noreferrer\">introduced<\/a> by Google that can be used to assess the security of both software packages and the development lifecycles that built and delivered them,\u201d added McGuire. \u201cAs it pertains to Assured OSS, the packages that Google supports as part of this program have been built, evaluated and delivered in alignment with the SLSA standard, which aims to assure the community of the integrity of the packages,\u201d he said.<\/p>\n<h3>Enriched metadata<\/h3>\n<p>According to Chang, enriched metadata that incorporates container analysis data is critical because, \u201cThe more you know about the open source software being used, the better choices DevSecOps teams have related to policy enforcement and risk.\u201d<\/p>\n<p>He offered examples of how customers can use enriched metadata with Assured OSS packages:<\/p>\n<ul>\n<li>Reviewing the provided lists of transitive dependencies to understand what else may be impacted.<\/li>\n<li>Reviewing the SLSA level to help guide the admission and guard rail policies they set for packages to progress in their pipeline.<\/li>\n<li>Reviewing the VEX \u2014 or vulnerability, exploitability and exchange \u2014 data to better understand which are the most impactful vulnerabilities in the open source components.<\/li>\n<li>Understanding the provided license file data so that customers can apply policies as needed to ensure they meet their internal open source program office policies.<\/li>\n<\/ul>\n<h3>Signatures for software<\/h3>\n<p>Like a signed check, the verifiable signing Assured OSS provides for both its binaries and metadata enable customers to easily verify that the binaries and metadata come from Google and have not been tampered with during distribution, according to Chang.<\/p>\n<p>\u201cIn addition, because the metadata is signed, customers can have confidence that the details contained in the metadata \u2014 including how the package is built, the build steps, which build tools touched the code and which security scan tools were run on the code \u2014 are all as they were when Google created them,\u201d he said.<\/p>\n<p><strong>SEE: DevSecOps is <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/devsecops-security-software-cycle\/\"><strong>more than<\/strong><\/a><strong> shifting left.<\/strong><\/p>\n<h2>Focus on Java and Python packages<\/h2>\n<p>Google said the Assured OSS program will make it possible for organizations to get OSS packages from a vetted source and know what the software comprises because it includes Google\u2019s software bill of materials, generally known as SBOMs. The company said the Assured OSS project includes 1,000 Java and Python packages and reduces the need for DevOps teams to establish and operate their own OSS security workflows.<\/p>\n<p>\u201cUsing methods such as fuzz testing, and including metadata of container or artifact analysis results, serves to attest to the security efforts performed,\u201d said McGuire. \u201cAs a matter of fact, being able to perform this type of security testing on dependencies, and provide this level of information, might be a sign of what\u2019s to come in the near future for software producers, especially for those doing business in highly regulated industries.\u201d<\/p>\n<p><strong>SEE<\/strong>: <strong>Why <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/supply-chain-security-plan\/\"><strong>supply chain security<\/strong><\/a><strong> should be part of your 2023 DevOps plan.<\/strong><\/p>\n<h2>Massive growth in OSS, and OSS vulnerabilities<\/h2>\n<p>Synopsys\u2019 8th annual Open Source Security &amp; Risk Analysis (OSSRA) report, based on 1,700 audits across 17 industries, found:<\/p>\n<ul>\n<li>163% increase in use of OSS by the EdTech sector.<\/li>\n<li>97% increase in OSS use by aerospace, aviation, automotive, transportation and logistics sectors, with a 232% increase in high-risk vulnerabilities.<\/li>\n<li>74% growth in OSS use by the manufacturing and robotics sectors.<\/li>\n<li>557% growth in high-risk vulnerabilities in the retail and eCommerce sector since 2019.<\/li>\n<li>89% of the total code being open source, and a 130% increase in high-risk vulnerabilities in the same period.<\/li>\n<li>31% of codebases are using open source with no discernable license or with customized licenses.<\/li>\n<\/ul>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image: Google Open source software and software supply chain security risks continue to be a primary concern for developers and organizations. According to a 2022 study by electronic design and automation company Synopsys, 84% of open source software codebases contained at least one known vulnerability \u2014 a nearly 4% increase from last year \u2014 and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":88909,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,154,285,177,287,27],"tags":[],"class_list":["post-88908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-google","category-google-cloud","category-open-source","category-security","category-software"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88908"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88908\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88909"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}