♊️ GemiNews 🗞️
(dev)
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
💬
🎙️
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
<div class="block-paragraph"><p data-block-key="fnyba">Open-source software is used throughout the technology industry to help developers build software tools, apps, and services. While developers building with open-source software can (and often do) benefit greatly from the work of others, they should also conduct appropriate due diligence to protect against <a href="https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf" target="_blank">software supply chain attacks</a>.</p><p data-block-key="cr34o">With an increasing focus on managing open-source software supply chain risk, both Citi and Google strive to apply more rigor across risk mitigation, especially while choosing known and trusted suppliers where open source components are sourced from.</p><h3 data-block-key="8pjtn"><b>Key open source attack vectors</b></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/Key_open_source_attack_vectors.max-1000x1000.png" alt="Key open source attack vectors"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The diagram above highlights key open source attack vectors. We can divide the common software supply chain security attacks into five main types:</span></p> <ol> <li style="list-style-type: none;"> <ol> <li role="presentation"><span style="vertical-align: baseline;">Attacks at runtime leveraging vulnerabilities in the code </span></li> <li role="presentation"><span style="vertical-align: baseline;">Attacks on the repositories, tooling and processes </span></li> <li role="presentation"><span style="vertical-align: baseline;">Attacks on the integrity of the artifacts as they progress through the pipeline</span></li> <li role="presentation"><span style="vertical-align: baseline;">Attacks on the primary open source dependencies that customers applications leverage</span></li> <li role="presentation"><span style="vertical-align: baseline;">Attacks throughout the inherited transitive dependency chain of the open source packages </span></li> </ol> </li> </ol> <p><span style="vertical-align: baseline;">Application security experts have seen their work increase and get harder as these attacks have increased in recent years. Open-source components often include and depend on the functionality of other open-source components in order to function. These components can have two types of dependencies: direct and transitive. </span></p> <p><span style="vertical-align: baseline;">Generally, the interactions work like this: The application makes an initial call to a direct dependency. If the direct dependency requires any outside components for it to function, those outside components are the application’s transitive dependencies.</span></p> <p><span style="vertical-align: baseline;">These types of dependencies are notoriously difficult to remediate. This is because they are not readily accessible to the developer. Their code base resides with their maintainers, rendering the application entirely dependent upon their work. If the maintainer of one of these transitive dependencies releases a fix, the amount of time before it makes its way up the supply chain to impact your direct dependency could be a while. </span></p> <p><span style="vertical-align: baseline;">Thus, the management of vulnerabilities needs to be extended to the full transitive dependency chain as this is where </span><a href="https://www.forbes.com/sites/forbestechcouncil/2023/05/26/the-hidden-risk-lurking-in-the-software-supply-chain-transitive-open-source-dependencies/?sh=5e66dc87512f" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">95% of the vulnerabilities</span></a><span style="vertical-align: baseline;"> are found. Maintaining a regular upgrade and patching process for your software development lifecycle (SDLC) tooling is now a must; as is upgrading the security of both your repositories and processes combined with active security testing of each. </span></p> <p><span style="vertical-align: baseline;">Tamper-evident provenance and signing can increase confidence in the ability to maintain artifact integrity throughout the pipeline. And mapping and understanding the full transitive dependency chain of all external components and depending on only known and trusted providers for these components becomes a required condition. </span></p> <p><a href="https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Recent guidance from CISA</span></a><span style="vertical-align: baseline;"> and other government agencies supports the focus on appropriately selecting and testing open source software ahead of ingestion from a trusted source. While some organizations load built software artifacts directly from public package repositories, others with a more restrictive security risk appetite will require more stringent security controls requiring the use of curated open-source software providers. </span></p> <p><span style="vertical-align: baseline;">They may opt to only leverage open-source software they themselves have built from source, although this would be prohibitively expensive for most. But if they chose to use a curated third party, what checks must they look for before delegating that critical authority?</span></p> <p><span style="vertical-align: baseline;">There are three main criteria to evaluate a curated OSS vendor:</span></p> <p role="presentation"><span style="vertical-align: baseline;">1. </span><strong style="vertical-align: baseline;">High level of security maturity</strong></p> <p><span style="vertical-align: baseline;">A trusted supplier must demonstrate a high level of security maturity. Common areas of focus are to examine the security hygiene of the supplier in particular. Look for details of the vulnerability management culture and ability to quickly keep up to date with patching within the organisation. They should also have a well trained team, prepared to quickly address any incidents and a regular penetration testing team, continuously validating the security posture of the organisation. </span></p> <p><span style="vertical-align: baseline;">The trusted supplier should be able to demonstrate the security of their own underlying foundational infrastructure. Check that they:</span></p> <ol> <li style="list-style-type: none;"> <ol> <li><span style="vertical-align: baseline;">Have an up-to-date inventory of their own external dependencies. </span></li> <li><span style="vertical-align: baseline;">Demonstrate knowledge and control of all ingest points. </span></li> <li><span style="vertical-align: baseline;">Leverage a single production build service so that they can maintain a singular logical control point. </span></li> <li><span style="vertical-align: baseline;">Meet best practice standards for managing their infrastructure including:</span></li> </ol> </li> </ol> <ul> <li style="list-style-type: none;"> <ul> <li style="list-style-type: none;"> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Well designed separation of duties and IAM control</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Built-in organizational policy and guard rails to secure Zero Trust network design</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Automated and regular patching with associated evidence</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Support for these posture controls with complementary continuous threat detection with detection, logging and monitoring systems.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bonus points if they operate with "everything as code" and with hermetic, reproducible and verifiable builts. </span></p> </li> </ul> </li> </ul> </li> </ul> <p role="presentation"><span style="vertical-align: baseline;">2. </span><strong style="vertical-align: baseline;">High level of internal SDLC security</strong></p> <p><span style="vertical-align: baseline;">The security of the SDLC used within the trusted supplier must be extremely high, particularly around the control plane of the SDLC and the components that interact with the source code to build the end product. Each system must be heavily secured and vetted to ensure any changes to the software is reviewed, audited, and requires multi-party approvals before progressing to the next stage or deployment. Strong authentication and authorisation policies must be in place to ensure that only highly trusted individuals could ever build, or change the vendor infrastructure. </span></p> <p><span style="vertical-align: baseline;">The SDLC security also needs to extend to the beginning of the ingestion of the source code material into the facility and to any code or functionality used within the control plane of the system itself.</span></p> <p role="presentation"><span style="vertical-align: baseline;">3. </span><strong style="vertical-align: baseline;">Effective insider threat program</strong></p> <p><span style="vertical-align: baseline;">As the trusted supplier is a high value target, there will be the potential for an insider threat as an attack vector.Therefore, the curated vendor would be expected to have an active and effective insider threat program. This personnel vetting approach should also extend to ensuring the location of all staff are within approved proximity and not outsourced. </span></p> <h3><strong style="vertical-align: baseline;">Trust but verify</strong></h3> <p><span style="vertical-align: baseline;">It is also important that the trusted supplier provide supporting evidence and insights. This evidence includes:</span></p> <ol> <li role="presentation"><span style="vertical-align: baseline;">Checkable attestations on infrastructure security and processes via third party certifications and/or your own independent audit. </span></li> <li role="presentation"><span style="vertical-align: baseline;">Checkable attestations for the security posture and processes for their SDLC against a standard framework like SLSA or SSDF. </span></li> <li role="presentation"><span style="vertical-align: baseline;">Cryptographic signatures on the served packages and any associated accompanying metadata so that you can verify source and distribution integrity.</span></li> </ol> <p><span style="vertical-align: baseline;">The actual relevance and security risk of an issue in a package is the combination of</span></p> <p><span style="vertical-align: baseline;">inherent criticality of in isolation, the context it's used in, the environmental conditions in which its deployed, any external compensating controls, and decreased or increased risk in the environment. The figure below shows the interrelationship and interaction between vulnerabilities and threats in the application and those from the underlying infrastructure.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/End_to_end_risk_diagram.max-1000x1000.png" alt="End to end risk diagram"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p role="presentation"><span style="vertical-align: baseline;">4. Enhanced security and risk metadata that should accompany each served package to increase your understanding and insights to both the inherent component risk of the code or artifact as well as how that risk can change in context of your specific application and environment. Key metadata can include: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Standard SBOM with SCA insights - vulnerabilities, licensing info, fully mapped transitive dependencies and associated vulnerability and licensing risk. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">VEX statements for how the inherited vulnerabilities from transitive dependencies affect the primary package being served. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Any related threat intelligence specific to the package, use case, or your organization.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The ability of the supplier to provide this type of enhanced data reinforces the evidence that they have achieved a high level of security and that the components they serve represent assured and more trustable ingredients you can employ with greater confidence.</span></p> <h3><strong style="vertical-align: baseline;">Better control and balancing benefits of open source components</strong></h3> <p><span style="vertical-align: baseline;">Leveraging open source components is critical to developer velocity, quality and accelerating innovation and execution. Applying these recommendations and requirements can enable you to better control and balance the benefits of using open source components with the potential risk of introducing targetable weak points in your SDLC and ultimately reduce your risk and exposure.</span></p> <p><span style="vertical-align: baseline;">Google Cloud’s </span><a href="https://cloud.google.com/security/products/assured-open-source-software"><span style="text-decoration: underline; vertical-align: baseline;">Assured Open Source Software</span></a><span style="vertical-align: baseline;"> (Assured OSS) service for Java and Python ecosystems gives any organization that uses open source software the opportunity to leverage the security and experience Google applies to open source dependencies by incorporating the same OSS packages that Google secures and uses into their own developer workflows. </span></p> <p><span style="vertical-align: baseline;">Learn more about </span><a href="https://cloud.google.com/security/products/assured-open-source-software"><span style="text-decoration: underline; vertical-align: baseline;">Assured Open Source Software</span></a><span style="vertical-align: baseline;">, enable Assured OSS through our</span><span style="vertical-align: baseline;"> </span><a href="https://developers.google.com/assured-oss?utm_source=blog&utm_medium=referral#get-started" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">self-serve onboarding</span></a><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">form, use the metadata API to list available Python and Java packages and determine which Assured OSS packages you want to use.</span></p></div>
Content
empty
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry published: 2024-03-26 16:00:00.000000000 Z entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier guid: https://cloud.google.com/blog/products/identity-security/how-to-choose-a-known-trusted-supplier-for-open-source-software/ title: How to choose a known, trusted supplier for open source software categories: - Open Source - Partners - Security & Identity summary: "<div class=\"block-paragraph\"><p data-block-key=\"fnyba\">Open-source software is used throughout the technology industry to help developers build software tools, apps, and services. While developers building with open-source software can (and often do) benefit greatly from the work of others, they should also conduct appropriate due diligence to protect against <a href=\"https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf\" target=\"_blank\">software supply chain attacks</a>.</p><p data-block-key=\"cr34o\">With an increasing focus on managing open-source software supply chain risk, both Citi and Google strive to apply more rigor across risk mitigation, especially while choosing known and trusted suppliers where open source components are sourced from.</p><h3 data-block-key=\"8pjtn\"><b>Key open source attack vectors</b></h3></div>\n<div class=\"block-image_full_width\">\n\n\n\n\n\n\n \n <div class=\"article-module h-c-page\">\n <div class=\"h-c-grid\">\n \n\n <figure class=\"article-image--large\n \ \n \n h-c-grid__col\n h-c-grid__col--6 h-c-grid__col--offset-3\n \ \n \n \"\n >\n\n \n \n \n <img\n \ src=\"https://storage.googleapis.com/gweb-cloudblog-publish/images/Key_open_source_attack_vectors.max-1000x1000.png\"\n \ \n alt=\"Key open source attack vectors\">\n \n </a>\n \ \n </figure>\n\n \n </div>\n </div>\n \n\n\n\n\n</div>\n<div class=\"block-paragraph_advanced\"><p><span style=\"vertical-align: baseline;\">The diagram above highlights key open source attack vectors. We can divide the common software supply chain security attacks into five main types:</span></p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Attacks at runtime leveraging vulnerabilities in the code </span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Attacks on the repositories, tooling and processes </span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Attacks on the integrity of the artifacts as they progress through the pipeline</span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Attacks on the primary open source dependencies that customers applications leverage</span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Attacks throughout the inherited transitive dependency chain of the open source packages </span></li>\n</ol>\n</li>\n</ol>\n<p><span style=\"vertical-align: baseline;\">Application security experts have seen their work increase and get harder as these attacks have increased in recent years. Open-source components often include and depend on the functionality of other open-source components in order to function. These components can have two types of dependencies: direct and transitive. </span></p>\n<p><span style=\"vertical-align: baseline;\">Generally, the interactions work like this: The application makes an initial call to a direct dependency. If the direct dependency requires any outside components for it to function, those outside components are the application’s transitive dependencies.</span></p>\n<p><span style=\"vertical-align: baseline;\">These types of dependencies are notoriously difficult to remediate. This is because they are not readily accessible to the developer. Their code base resides with their maintainers, rendering the application entirely dependent upon their work. If the maintainer of one of these transitive dependencies releases a fix, the amount of time before it makes its way up the supply chain to impact your direct dependency could be a while. </span></p>\n<p><span style=\"vertical-align: baseline;\">Thus, the management of vulnerabilities needs to be extended to the full transitive dependency chain as this is where </span><a href=\"https://www.forbes.com/sites/forbestechcouncil/2023/05/26/the-hidden-risk-lurking-in-the-software-supply-chain-transitive-open-source-dependencies/?sh=5e66dc87512f\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">95% of the vulnerabilities</span></a><span style=\"vertical-align: baseline;\"> are found. Maintaining a regular upgrade and patching process for your software development lifecycle (SDLC) tooling is now a must; as is upgrading the security of both your repositories and processes combined with active security testing of each. </span></p>\n<p><span style=\"vertical-align: baseline;\">Tamper-evident provenance and signing can increase confidence in the ability to maintain artifact integrity throughout the pipeline. And mapping and understanding the full transitive dependency chain of all external components and depending on only known and trusted providers for these components becomes a required condition. </span></p>\n<p><a href=\"https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Recent guidance from CISA</span></a><span style=\"vertical-align: baseline;\"> and other government agencies supports the focus on appropriately selecting and testing open source software ahead of ingestion from a trusted source. While some organizations load built software artifacts directly from public package repositories, others with a more restrictive security risk appetite will require more stringent security controls requiring the use of curated open-source software providers. </span></p>\n<p><span style=\"vertical-align: baseline;\">They may opt to only leverage open-source software they themselves have built from source, although this would be prohibitively expensive for most. But if they chose to use a curated third party, what checks must they look for before delegating that critical authority?</span></p>\n<p><span style=\"vertical-align: baseline;\">There are three main criteria to evaluate a curated OSS vendor:</span></p>\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">1. </span><strong style=\"vertical-align: baseline;\">High level of security maturity</strong></p>\n<p><span style=\"vertical-align: baseline;\">A trusted supplier must demonstrate a high level of security maturity. Common areas of focus are to examine the security hygiene of the supplier in particular. Look for details of the vulnerability management culture and ability to quickly keep up to date with patching within the organisation. They should also have a well trained team, prepared to quickly address any incidents and a regular penetration testing team, continuously validating the security posture of the organisation. </span></p>\n<p><span style=\"vertical-align: baseline;\">The trusted supplier should be able to demonstrate the security of their own underlying foundational infrastructure. Check that they:</span></p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><span style=\"vertical-align: baseline;\">Have an up-to-date inventory of their own external dependencies. </span></li>\n<li><span style=\"vertical-align: baseline;\">Demonstrate knowledge and control of all ingest points. </span></li>\n<li><span style=\"vertical-align: baseline;\">Leverage a single production build service so that they can maintain a singular logical control point. </span></li>\n<li><span style=\"vertical-align: baseline;\">Meet best practice standards for managing their infrastructure including:</span></li>\n</ol>\n</li>\n</ol>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Well designed separation of duties and IAM control</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Built-in organizational policy and guard rails to secure Zero Trust network design</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Automated and regular patching with associated evidence</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Support for these posture controls with complementary continuous threat detection with detection, logging and monitoring systems.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Bonus points if they operate with \"everything as code\" and with hermetic, reproducible and verifiable builts. </span></p>\n</li>\n</ul>\n</li>\n</ul>\n</li>\n</ul>\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">2. </span><strong style=\"vertical-align: baseline;\">High level of internal SDLC security</strong></p>\n<p><span style=\"vertical-align: baseline;\">The security of the SDLC used within the trusted supplier must be extremely high, particularly around the control plane of the SDLC and the components that interact with the source code to build the end product. Each system must be heavily secured and vetted to ensure any changes to the software is reviewed, audited, and requires multi-party approvals before progressing to the next stage or deployment. Strong authentication and authorisation policies must be in place to ensure that only highly trusted individuals could ever build, or change the vendor infrastructure. </span></p>\n<p><span style=\"vertical-align: baseline;\">The SDLC security also needs to extend to the beginning of the ingestion of the source code material into the facility and to any code or functionality used within the control plane of the system itself.</span></p>\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">3. </span><strong style=\"vertical-align: baseline;\">Effective insider threat program</strong></p>\n<p><span style=\"vertical-align: baseline;\">As the trusted supplier is a high value target, there will be the potential for an insider threat as an attack vector.Therefore, the curated vendor would be expected to have an active and effective insider threat program. This personnel vetting approach should also extend to ensuring the location of all staff are within approved proximity and not outsourced. </span></p>\n<h3><strong style=\"vertical-align: baseline;\">Trust but verify</strong></h3>\n<p><span style=\"vertical-align: baseline;\">It is also important that the trusted supplier provide supporting evidence and insights. This evidence includes:</span></p>\n<ol>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Checkable attestations on infrastructure security and processes via third party certifications and/or your own independent audit. </span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Checkable attestations for the security posture and processes for their SDLC against a standard framework like SLSA or SSDF. </span></li>\n<li role=\"presentation\"><span style=\"vertical-align: baseline;\">Cryptographic signatures on the served packages and any associated accompanying metadata so that you can verify source and distribution integrity.</span></li>\n</ol>\n<p><span style=\"vertical-align: baseline;\">The actual relevance and security risk of an issue in a package is the combination of</span></p>\n<p><span style=\"vertical-align: baseline;\">inherent criticality of in isolation, the context it's used in, the environmental conditions in which its deployed, any external compensating controls, and decreased or increased risk in the environment. The figure below shows the interrelationship and interaction between vulnerabilities and threats in the application and those from the underlying infrastructure.</span></p></div>\n<div class=\"block-image_full_width\">\n\n\n\n\n\n\n \ \n <div class=\"article-module h-c-page\">\n <div class=\"h-c-grid\">\n \ \n\n <figure class=\"article-image--large\n \n \n h-c-grid__col\n \ h-c-grid__col--6 h-c-grid__col--offset-3\n \n \n \"\n \ >\n\n \n \n \n <img\n src=\"https://storage.googleapis.com/gweb-cloudblog-publish/images/End_to_end_risk_diagram.max-1000x1000.png\"\n \ \n alt=\"End to end risk diagram\">\n \n </a>\n \n \ </figure>\n\n \n </div>\n </div>\n \n\n\n\n\n</div>\n<div class=\"block-paragraph_advanced\"><p role=\"presentation\"><span style=\"vertical-align: baseline;\">4. Enhanced security and risk metadata that should accompany each served package to increase your understanding and insights to both the inherent component risk of the code or artifact as well as how that risk can change in context of your specific application and environment. Key metadata can include: </span></p>\n<ul>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Standard SBOM with SCA insights - vulnerabilities, licensing info, fully mapped transitive dependencies and associated vulnerability and licensing risk. </span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">VEX statements for how the inherited vulnerabilities from transitive dependencies affect the primary package being served. </span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Any related threat intelligence specific to the package, use case, or your organization.</span></p>\n</li>\n</ul>\n<p><span style=\"vertical-align: baseline;\">The ability of the supplier to provide this type of enhanced data reinforces the evidence that they have achieved a high level of security and that the components they serve represent assured and more trustable ingredients you can employ with greater confidence.</span></p>\n<h3><strong style=\"vertical-align: baseline;\">Better control and balancing benefits of open source components</strong></h3>\n<p><span style=\"vertical-align: baseline;\">Leveraging open source components is critical to developer velocity, quality and accelerating innovation and execution. Applying these recommendations and requirements can enable you to better control and balance the benefits of using open source components with the potential risk of introducing targetable weak points in your SDLC and ultimately reduce your risk and exposure.</span></p>\n<p><span style=\"vertical-align: baseline;\">Google Cloud’s </span><a href=\"https://cloud.google.com/security/products/assured-open-source-software\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Assured Open Source Software</span></a><span style=\"vertical-align: baseline;\"> (Assured OSS) service for Java and Python ecosystems gives any organization that uses open source software the opportunity to leverage the security and experience Google applies to open source dependencies by incorporating the same OSS packages that Google secures and uses into their own developer workflows. </span></p>\n<p><span style=\"vertical-align: baseline;\">Learn more about </span><a href=\"https://cloud.google.com/security/products/assured-open-source-software\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Assured Open Source Software</span></a><span style=\"vertical-align: baseline;\">, enable Assured OSS through our</span><span style=\"vertical-align: baseline;\"> </span><a href=\"https://developers.google.com/assured-oss?utm_source=blog&utm_medium=referral#get-started\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">self-serve onboarding</span></a><span style=\"vertical-align: baseline;\"> </span><span style=\"vertical-align: baseline;\">form, use the metadata API to list available Python and Java packages and determine which Assured OSS packages you want to use.</span></p></div>" carlessian_info: news_filer_version: 2 newspaper: Google Cloud Blog macro_region: Technology url: https://cloud.google.com/blog/products/identity-security/how-to-choose-a-known-trusted-supplier-for-open-source-software/ rss_fields: - title - url - summary - author - categories - published - entry_id author: Jonathan Meadows
Language
Active
Ricc internal notes
Imported via /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-03-31 23:24:01 +0200. Content is EMPTY here. Entried: title,url,summary,author,categories,published,entry_id. TODO add Newspaper: filename = /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Technology/Google Cloud Blog/2024-03-26-How_to_choose_a_known,_trusted_supplier_for_open_source_software-v2.yaml
Ricc source
Show this article
Back to articles