Security News > 2022 > May > Google assuring open source code to secure software supply chains

Google has a plan - and a new product plus a partnership with developer-focused security shop Snyk - that attempts to make it easier for enterprises to secure their open source software dependencies.

They have corresponding enriched metadata incorporating Container/Artifact Analysis data and are built with Cloud Build, which verifies the code complies with SLSA - this is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain.

The new service is based on internal tools and best-practices that Google has "Invested heavily" in over the past several years to secure its own open source software dependencies, Potti told reporters during a press conference.

As proof, Google sites open source software scanning company Sonatype, which reported a 650 precent year-over-year increase in cyberattacks aimed at open source software suppliers from 2020 to 2021.

Last week, following a White House meeting on open source software security, Google and a handful of other big tech companies announced a $30-million-plus commitment to implement a plan to improve open-source and software supply chain security.

In addition to the funding, Google announced its "Open Source Maintenance Crew." This dedicated staff of Google engineers will work with upstream maintainers to improve the security of open-source projects.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/17/google_assured_open_source_software/