While cyberattacks targeting free software vendors have increased by 650% in the space of a year, Google has just announced measures to strengthen the security of the software supply chain.
The American giant has just set up an initiative to offer companies using open source software access to the same secure packages as those used by its own developers to create and maintain the code. “We wondered how to get ahead of any digital supply chain issue so that we are not in the same position we are in today on the physical supply chain,” says Sunil Potti , vice president of Google Cloud Security.
And to cite the critical problem raised by the security of open-source software, used by “just about every company on the planet”. Packages offered to Google Cloud customers under the Assured Open Source Software service are verifiably certified by Google and are regularly scanned and analyzed for vulnerabilities to ensure users have maximum protection against bugs and exploits.
Software certified by Google
They are built using Google’s Cloud Build platform, with evidence of verifiable compliance with the Supply chain Levels for Software Artifacts (SLSA) standard – a security framework and checklist of standards and controls aimed at prevent code tampering, improve integrity, and secure packets. This system is based on the process used within Google, where every step of the build is actively secured throughout the end-to-end process, and where separate, secure copies of the source code are maintained.
Google Cloud’s new offering “allows enterprise customers to directly benefit from the deep, end-to-end security capabilities and practices we apply to our own open-source software portfolio by giving them access to the same open-source software packages. source on which Google depends”, we know from the side of the American giant.
Recall that vulnerabilities in the supply chain are widely exploited by cybercriminals. Many incidents begin with attackers exploiting newly discovered zero-day cybersecurity vulnerabilities. However, even if a security patch is provided, organizations may be slow to deploy it, making them vulnerable to attackers.
With this new offering, Google Cloud hopes to make it easier to manage open source and supply chain vulnerabilities — and therefore help organizations of all sizes stay safe from cyberattacks. It remains to be seen whether this plan will work.
Source: ZDNet.com