• by Laurie Sullivan  @lauriesullivan, April 12, 2023

Google on Wednesday announced the general availability of its Assured Open Source Software (OSS) service that helps developers defend against supply chain security attacks by scanning and analyzing software libraries for vulnerabilities.

Assured OSS -- available for free -- gives any organization that uses open-source software the opportunity to leverage the security and experience that Google applies to open-source dependencies. It integrates the same OSS packages that Google secures and uses in its developer workflows. 

Google, which announced the product In May 2022, says the technology reduces risk because it actively scans, finds, and fixes new vulnerabilities in curated packages.

Andy Chang, group product manager, security and privacy at Google, believes threats to the software supply chain and OSS security remain major areas of concern for organizations creating apps and their developers.

“According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack, the initial infection vector second only to exploits,” he wrote in a post.

Open-source software security continues to be an area of risk and a complex challenge as more companies move content to the cloud.

With the Assured Open Source Software service, OSS companies can benefit from the security system, tooling, processes and techniques that Google has built for its own use.

Jon Meadows, managing director and Citi Tech Fellow, Cyber Security at Citi, said Citi and Google see untrusted and unverified open-source dependencies as a key risk vector, and that assured OSS can help reduce risk and protect open-source software commonly used by enterprises.

Until now, software development has long depended on third-party libraries often maintained by one developer. Google says it will keep the libraries up to date and continuously scan for known vulnerabilities.