Looking to help cut the risk of software supply chain vulnerabilities in open source software, Google says it will release its own packages and libraries of vetted open source for other organizations to use.
The company made the announcement in its Google Cloud blog, saying that its new Assured Open Source Software service (Assured OSS) will enable enterprise and public sector users to incorporate the same open source software packages that Google uses in their own developer workflows.
The new cloud service from Google, due in a preview version in Q3 2022, comes amid a huge increase in cyber attacks that are targeting open source, with recent examples including the attacks to exploit the Log4j2 vulnerability against that open source Java-based logging framework that is common on Apache web servers. But that’s not the only one. Software supply chain management vendor Sonatype said in its State Of the Software Supply Chain Report that cyber attacks aimed at open source suppliers increased by 650% year-over-year in 2021.
What’s more, enterprise organizations today are increasingly using open source software, a trend that accelerated during the pandemic, according Red Hat’s State of Enterprise Open Source Report 2022, and a blog post by Red Hat president and CEO Paul Cormier. Indeed, the survey found that 80% of IT leaders expect to increase their use of enterprise open source software for emerging technologies.
Google’s certainly not alone in its effort to address open source vulnerabilities. The Linux Foundation and the Open Software Security Foundation with support from 37 companies including Amazon, Google and Microsoft, recently released a plan for securing open source software.