Security Media Wire

Your Information Security News Source

Connect

Connect with Miss Rumbie

Information Security ·

Google Releases Open Source Software to Detect Vulnerabilities

Google%20Released%20Assured%20OSS

Google Cloud has made its Assured Open Source Software (Assured OSS) service available for Java and Python ecosystems at no cost due to the increasing risks associated with reliance on open-source software. A study by Synopsys in 2023 found that 84% of open-source software codebases had at least one known vulnerability, with a 4% increase from the previous year, and 48% contained a high-risk vulnerability.

The Assured OSS service scans and analyzes popular software libraries for vulnerabilities to aid developers in defending against supply chain security attacks. Google began developing Assured OSS in May 2022 to address the growing number of hacks targeting open-source vendors. Google’s significant contribution, maintenance, and usage of open-source software, along with their robust technology, processes, security capabilities, and controls, make them well-positioned to assist in this area.

image 28
Four Major Factors Causing More Attacks

Features of Assured OSS

Google’s Assured OSS programme offers the following code packages, according to Google:

  • Are regularly scanned, analyzed, and fuzz-tested for vulnerabilities.
  • Have corresponding enriched metadata incorporating Container/Artifact Analysis data.
  • Are built with Cloud Build, including evidence of verifiable SLSA compliance.
  • Are verifiably signed by Google.
  • Are distributed from an Artifact Registry secured and protected by Google.

 

Andy Chang stated that Assured OSS is valuable for organizations seeking guidance on trustworthy open source packages. However, it is crucial to have tools that prevent problematic components from entering the development pipeline and continuously monitor previously trustworthy components for newly discovered issues.

In addition, the SLSA framework enhances the software development lifecycle by adding assurance. By including new security rules to address prevalent vulnerabilities in the current landscape, SLSA formalizes the criteria for software supply chain integrity and helps organizations take small steps toward a more secure software supply chain.

Customers can have confidence in the metadata, including build steps, build tools, and security scan tools, because the metadata is signed. This confidence comes from knowing that the metadata is in the same condition as when Google created it.

image 29 1024x407 1

According to the company, the Assured OSS project comprises 1,000 Java and Python packages and eliminates the need for DevOps teams to set up and manage their own OSS security operations.

 

Go to Source
Author: Guru

You’ll Also Love

Legend of Zelda: Nintendo & Sony live-action film
Chinese APT Groups Actively Targeting Outlook and Exchange Online Email Accounts
New Update: Google Chrome Zero-Day Bug
mackeeper
mackeeper
mackeeper3
Lessons She Never Learnt

Mac Keeper
mackeeper3

Copyright © 2024 Security Media Wire