Jump to Content
Open Source

IT prediction: open source packages get curated

December 6, 2022
Eric Brewer

VP of Infrastructure & Google Fellow

Editor's note: This post is part of an ongoing series on IT predictions from Google Cloud experts. Check out the full list of our predictions on how IT will change in the coming years.


Prediction: By 2025, 4 out of 5 enterprise developers will use some form of curated open source

Open source is everywhere. It’s a public infrastructure that helps power our everyday life, helping to run everything from our electrical grids and water supplies to our oil pipelines. Today, it’s fundamental for all clouds, nearly all nations, and it’s even used widely in proprietary software. 

With the rise of compliance regulations like the Federal Risk and Authorization Management Program (FedRAMP), and the Biden Executive Order on Cybersecurity, curated open source adds the extra layer of accountability needed to run the applications that will power our future.

Curated open source aims to improve software supply chain security by actively curating and vetting key open-source packages. The “curator” focuses not just on finding vulnerabilities, but also helping to fix them. For example, curators will update old dependencies and track new ones. Curators will also enable automated testing to simplify security for the long term.

Today, there are small forms of curation, such as packages that come with a supported version of Linux or paid versions of some popular open-source systems like Apache Spark, but most of the packages we depend on are not curated. Given the widespread risk, this will have to change.

We are already working to create our own solutions to be ready for this reality with the release of Software Delivery Shield, our fully managed security solution that protects your software supply chain from source to deployment. This includes our curated open source service called Assured OSS (now in preview), which scans, analyzes, and fuzz-tests more than 500 Java and Python open source packages for security vulnerabilities and updates them as needed before making them available to cloud developers. 

Assured OSS packages enable organizations to benefit from the same end-to-security capabilities and practices that we apply to our own OSS portfolio at Google Cloud. Developers have access to a curated set of the same open source packages that we have invested in and depend on in our own products and services. 

If you’d like to learn more curated open source and how to get started, please fill out this interest form for Assured OSS.

Video Thumbnail
Posted in