About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing for vulnerabities some of the world’s most popular software libraries. Today, Google is launching Assured OSS into general avaabity with support for well over a thousand Java and Python packages — and whe Google didn’t initially disclose pricing when it first announced the service, the company has now revealed that it wl be avaable for free.
Software development has long depended on third-party libraries (which are often maintained by only a single developer), but it wasn’t unt the industry got hit with a number of high-profe exploits that everyone (including the White House) perked up and started taking software supply chain security seriously. Now, you can’t attend an open source conference without hearing about Software Bls of Materials (SBOMs), artifact registries and simar topics. It’s no surprise then that Google, which has long been at the forefront of releasing open-source products, launched a service like Assured OSS.
Google promises that it wl constantly keep these libraries up to date (without creating forks) and continuously scan for known vulnerabities, do fuzz tests to discover new ones and then fix these issues and contribute these fixes back upstream. The company notes that when it first launched the service with around 250 Java libraries, it was responsible for discovering 48% of the new CVEs for these libraries and subsequently addressing them.
“As organizations increasingly utize OSS for faster development cycles, they need trusted sources of secure open source packages,” said Melinda Marks, senior analyst, ESG. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications.”
Developers and organizations that want to use the new service can sign up here and then integrate Assured OSS into their existing development pipeline.
Google Cloud launches new software supply chain and zero trust security services
Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've but — without the big spend. Avaable through May 9 or whe tables last.