Cloud Computing

Google Cloud is solving security issues with services

Google Cloud is focusing on software supply-chain security and zero trust with new launches
article cover

Francis Scialabba

· 3 min read

Everyone’s talking about software supply-chain security, and this year’s Google Cloud Security Summit was no different, with the announcement of an Assured Open Source Software (Assured OSS) service that could help enterprise customers avoid nasty hidden surprises in their software components.

Google Cloud execs, including Sunil Potti and Jeanette Manfra, said that enterprise and government users will now have access to Assured OSS, which entails access to the open-source packages Google says it has vetted for its own internal use. In a press release, Andy Chang, Google Cloud group product manager for security and privacy,  wrote that Assured OSS packages are “regularly scanned, analyzed and fuzz-tested for vulnerabilities,” meaning they’ve been bombarded with invalid or unexpected inputs to make sure nothing weird happens. Each package comes with documented, “verifiable” Supply-chain Levels for Software Artifacts compliance (SLSA), a framework and standards system for guaranteeing secure software supply chains introduced by Google last year.

“So many organizations are building software, they’re building applications to drive their business forward,” Rob Sadowski, trust and security marketing lead at Google Cloud, told IT Brew. “And the fact of the matter is that a lot of that code gets written by internal developers, but a fair amount of that code they are taking [from open-source repositories and other third party sources], and reusing frameworks and other things like that.”

Software supply-chain security, at its core, is about checking that no one slipped any vulnerabilities into the countless third-party components and open-source libraries involved in a typical application, intentionally or otherwise. It has recently come into focus as one of the key concerns of not only federal agencies like CISA but industry giants like Amazon, Google, and Microsoft, that have pledged a collective $30 million to an open-source security plan spearheaded by the Linux Foundation and the Open Source Software Security Foundation.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

One challenge is that malicious parties have realized those third-party components are a great way to sneak into the backend of projects, Sadowski added, and often attempt to trick developers into downloading subverted code. Moreover, sometimes that code inadvertently introduces vulnerabilities that are hard to anticipate, such as buffer overflows, which can cause unanticipated behavior, according to Sadowski.

“We are continuously fuzzing over 500 of the most-popular open-source projects,” Sadowski said. “If you go to our GitHub page, for example, for OSS-Fuzz, it talks about the number of projects we’re doing this for, and as a result, the number of vulnerabilities that were found. So I don’t think it’s a magic process. But it does take a lot of work and resources, and you want to do it continuously.”

Assured OSS wasn’t Google Cloud’s only new launch. BeyondCorp Enterprise Essentials is intended to “help organizations quickly and easily take the first steps toward Zero Trust implementation.” Google says it offers “context-aware access controls” for SAML applications, as well as “data loss prevention, malware and phishing protection, and URL filtering, integrated in the Chrome browser.” And, Google’s Security Foundation solution is a package for enterprise intended to set a baseline for those customers to adopt Google Cloud security measures—such as “data protection, network security, security monitoring, and more”—without necessarily having to sort through every option.—TM

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.