Google’s Assured Open Source Software (Assured OSS) service, launched a year ago, scans and analyzes some of the world’s most popular software libraries for vulnerabilities to assist developers in fighting against supply chain security breaches.
Google is bringing Assured OSS into wide availability today with support for over 1,000 Java and Python packages. The firm initially didn’t disclose the price, but it’s now free.
OSS Google table after a series of high-profile exploits, everyone—including the White House—started taking software supply chain security seriously. Software development has long relied on third-party libraries, which a single developer often maintains.
Software Bills of Materials (SBOMs), artifact registries, and other subjects are now standard at open-source conferences. So Google, a leader in open-source goods, created Assured OSS.
Google promises to maintain these libraries up to date without forks, check for known vulnerabilities, perform fuzz tests to find new ones, patch them, and donate the changes upstream. For example, when the service began with 250 Java libraries, it discovered and fixed 48% of the new CVEs.
As enterprises use OSS for shorter development cycles, they require credible sources of safe, open-source packages, said ESG senior analyst Melinda Marks.
In addition, enterprises risk security vulnerabilities and other software supply chain concerns without sufficient vetting and verification or metadata to track OSS access and usage. Organizations may reduce these risks and secure their business applications by working with a reliable provider.
