Google Cloud wants to help improve the security of the most widely used open-source software, and to do so it’s making its Assured Open Source Software service generally available for Java and Python ecosystems.

Announced today and available at no cost to users, Assured OSS gives organizations the ability to use exactly the same OSS packages that Google uses in its own developer workflows. As a result, they can benefit from the additional safety measures that Google applies to those packages, improving their own security.

It may prove to be a compelling offer because open-source software serves as the basis for the majority of the world’s software applications and services. Even proprietary software apps rely on various open-source components, yet the security of these community-maintained offerings is a big concern. According to Mandiant’s 2022 M-Trends report, 17% of all security breaches that year began with an attack on the open-source software supply chain. If hackers spot a vulnerability in an open-source component, it can potentially be used to exploit any application that uses it.

By relying on Google’s extensive library of Assured OSS packages, organizations will benefit from a more secure open-source software supply chain, Google said. They’ll be able to understand better the ingredients of the packages they use with an Assured Software Bill of Materials provided in industry standard formats. Their overall risk will be reduced too, because it means the components they use are actively scanned for vulnerabilities and fixed by Google.

Google said its Assured OSS library covers thousands of the most popular Java and Python packagers, including common artificial intelligence and machine learning tools such as TensorFlow, Pandas and Scikit-Learn. The OSS packages are regularly scanned, analyzed and fuzz-tested for vulnerabilities, verifiably signed by Google and distributed from an artifact registry that’s secured and protected by the company. Assured OSS has already proved its worth, Google added, since it was the first to find and fix 48% of all new vulnerabilities discovered in the first 250 Java packages it offered through the program.

Holger Mueller of Constellation Research Inc. told SiliconANGLE that practically all modern software is written using open source components, and that the very nature of it means that it’s open to all kinds of risks. “For many enterprises, checking software for bugs and vulnerabilities is an ardous and sometimes even impossible task,” Mueller explained. “So it’s great to see that Google is letting others benefit from its own checks and due diligence.”

Google reckons it has received an overwhelmingly positive response since launching Assured OSS in public preview last year. Citibank N.A Managing Director and Tech Fellow Jon Meadows said his company was one of the earliest adopters of the initiative. “Both Citi and Google see untrusted and unverified open source dependencies as a key risk vector,” he said. “Assured OSS can help reduce risk and protect open-source software components commonly used by enterprises like us.”

Organizations that want to get started with Assured OSS can do so through this self-serve onboarding form. They can then connect the Assured OSS packages to their software development pipeline in any environment they wish, including Artifact Registry, Artifactory, Nexus and others.

ESG analyst Melinda Marks said a trusted source of secure open source packages is vital for organizations with fast development cycles. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain,” she said. “By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications.”

Images: Google Cloud