Google Cloud Assured Open Source Software service is now generally available

Threats to the software supply chain and open source software (OSS) security continue to be major areas of concern for organizations creating apps and their developers. According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack, the initial infection vector second only to exploits. 

Building on Google’s efforts to improve OSS security, we are announcing the general availability of the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems. Available today at no cost, Assured OSS gives any organization that uses open source software the opportunity to leverage the security and experience Google applies to open source dependencies by incorporating the same OSS packages that Google secures and uses into their own developer workflows. 

Using Assured OSS, organizations can:

• Obtain their OSS packages from a trusted and known supplier

• Know more about their ingredients with Assured SBOMs provided in industry standard formats like SPDX and VEX

• Reduce risk, as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages  

• Increase confidence in the integrity of the ingredients they’re using through signed, tamper-evident provenance

• Choose from more than 1,000 of the most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn. 

Since our public preview announcement in May 2022 and integrating Assured OSS as a key component in Software Delivery Shield the following October, we have received an overwhelmingly positive response and interest from our customers. 

Jon Meadows, managing director and Citi Tech Fellow, Cyber Security at Citi said, “Citi has been an advocate and active leader in the industry's efforts to secure enterprise software supply chains. Both Citi and Google see untrusted and unverified open source dependencies as a key risk vector. This is why we’ve been excited to be an early adopter of Google Cloud's new Assured OSS product. Assured OSS can help reduce risk and protect open source software components commonly used by enterprises like us.”

Assured OSS guards OSS packages against attacks and risk by:

• continuously mirroring key external ecosystems to manage end-to-end security without creating forks

• managing the security and integrity of the mirrored repos and end-to-end build tool chain with tamper-evident provenance and attestations

• continuously scanning for, fuzz testing, and fixing critical vulnerabilities, which are then quickly contributed back upstream to limit the exposure time and blast radius

• operating a critical patching team to support covered packages

"As organizations increasingly utilize OSS for faster development cycles, they need trusted sources of secure open source packages," said Melinda Marks, senior analyst, ESG. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications."

There are significant security benefits to Assured OSS adopters and the larger community from the curation process. Since our Assured OSS team curated the first 278 packages, we have been the first to find 48% of the new vulnerabilities (CVE) — each of these CVEs has been fixed and upstreamed.

Get started today

Here’s how easy it is to get started:

1. Enable Assured OSS through our self-serve onboarding form

2. Use the metadata API to list available Python and Java packages and determine which Assured OSS packages you want to use

3. Connect to your software development pipeline anywhere you build code — you can easily integrate with Artifact Registry, Artifactory, Nexus and more

4. Build your app that now uses Assured OSS trusted dependencies

5. Inspect the corresponding enhanced metadata (SBOM and VEX)

Learn more

Open source software security is an exponentially increasing area of risk and a complicated challenge. With Assured OSS you can benefit from the security system, tooling, processes and techniques Google has built and leverages daily for our own security. Learn more about Assured Open Source Software, watch our Security Talks session on managing open source software security in the enterprise, sign up for our webinar on software supply chain security, and reach out to us with any questions or feedback.