Almost a year after the initial announcement, Google’s Assured Open Source Software (Assured OSS) service is now generally available. The question of price, which was still open at the beginning, has thus also been clarified: the service is free of charge. It delivers open source packages that have been checked for vulnerabilities using a variety of methods for integration into software development workflows.
To start with, Assured OSS offers over 1000 tested open source packages for Java and Python. According to Google, these are the same packages that the company uses internally for its own software projects. The selection mainly includes frequently used software such as TensorFlow, pandas and scikit-learn.
Vulnerability detection methods
Assured OSS aims to improve the security of the software supply chain with verified and signed packages. To check for vulnerabilities, the packages go through a static and dynamic code analysis, and Google also uses a fuzzer. It feeds the programs to be tested with random or deliberately nonsensical inputs and thus reveals attack surfaces that human testers overlook when they use more or less plausible data for testing.
also read
For example, fuzzing can be used to detect buffer overflows caused by unexpected inputs. Google operates a GitHub repository around the test technology. The company presented the OSS Fuzz tool in 2016, followed by ClusterFuzz in 2019 and its offshoot ClusterFuzzLite in 2021.
Signed packets containing SBOM data
Google signs all binaries and metadata so companies can ensure they include unmodified packages in their build process. The packages on Assured OSS contain Software Bills of Materials (SBOMs) metadata in SPDX (Software Package Data Exchange) and VEX (Vulnerability Exploitability eXchange) format.
Assured OSS is intended to avert typical risks for the software supply chain.
(Image: Google)
Further details on Assured OSS can be found on the Google Cloud Blog. Almost at the same time, Google announced the deps.dev API, which is also intended to secure the software supply chain by providing an overview of dependencies in open source packages and potential vulnerabilities.
(rme)
