Footnotes
- Source: OWASP, “Top 10 Web Application Security Risks (2021)” (September 21, 2021).
- Ibid
- Source: Information Systems Audit and Control Association, “Supply Chain Security Gaps: A 2022 Global Research Report” (June 6, 2022).
- Ibid
Safeguarding against open-source software vulnerabilities
Explore how Assured Open-Source Software from Google Cloud can help reduce open-source software security risks
Modernize and innovate with Google Cloud Security
In 2021, the Open Web Application Security Project (OWASP) 1 tested over 100,000 applications for security vulnerabilities and found the top two issues were: Broken access control, where users would have unauthorized access to certain information, and cryptographic failure, where the failure of strong cryptography leads to sensitive data exposure. OWASP found that 94 percent of applications were tested for some form of broken access control.2
The growing shift into open-source software is due to the benefits that make organizations prefer using open-source software:
- People can look at the source code and check if it is doing anything malicious, and if there is something that they don’t like, they can modify it.
- Sometimes the creator of the open-source software may not be able to contribute anymore. Still, since the software is available for anyone to modify, other people can work on it instead.
- Open-source software can create a tight-knit community of users and developers that help test, use, and promote the software.
As such, open-source software has increased in popularity and has become many people’s preferred choice of how to approach software development.
Security concerns with open-source software
Along with the increase in popularity, many open-source software applications are part of digital supply chains that have been involved in cyberattacks. In 2022, the Information Systems Audit and Control Association (ISACA) 3 surveyed more than 1,300 IT professionals with supply chain visibility. ISACA reported that 25 percent of the professionals reported that their organization experienced attacks on its digital supply chain in the last 12 months.4 The survey respondents named five security concerns in their supply chain:
- Ransomware
- Poor information security practices by suppliers
- Software security vulnerabilities
- Third-party data storage
- Third-party service providers or vendors with physical or virtual access to information systems, software code, or IP
Forty-seven percent of the professionals said their organizations do not perform scanning and penetration testing on their digital supply chain. Some of these attacks aimed to exploit weaknesses in upstream open-source ecosystems.
To reduce open-source security risks, Google Cloud introduced Assured Open-Source Software (Assured OSS). This new solution by Google Cloud is designed to help users of open-source software easily incorporate the same trusted, curated, and secured OSS packages that Google uses in its developer workflows.
Features of Assured OSS
Google Cloud has a portfolio of open source software that they maintain. Assured OSS is a trusted repository of curated OSS packages that have been scanned for vulnerabilities that can incur tremendous damage to organizations. The process of scanning open-source software can be costly if an organization does not have dedicated resources for it. Assured OSS handles the entire process of scanning for vulnerabilities, cutting down the cost of scanning open-source software significantly for organizations.
Detailed data
Assured OSS provides enriched metadata and analysis via assured and signed SBOMs and VEX data in industry-standard formats. These provide increased transparency to customers, in a signed and verifiable way, into the end-to-end build process for each curated Assured OSS artifact, including their transitive dependencies. Organizations can easily access this data to configure or modify any part of the open-source software to fit their business needs.
Developer friendly
Since Assured OSS is part of Google Cloud, the packages in the Assured OSS portfolio are built with Cloud Build and include evidence of verifiable Supply chain Levels for Software Artifacts (SLSA) compliance. This process ensures that the open-source software you are using is up to date and follows the requirements of SLSA. This is a step forward in securing the software supply chain and helps increase developer efficiency as they get their OSS packages from a known and trusted supplier.
Simple distribution
Open-source packages in the Assured OSS portfolio are verifiably signed by Google and distributed to customers from a Google Cloud managed, secured, and protected Artifact Registry and Storage services. Organizations and individuals can self-serve their enrollment and access to Assured OSS's secured endpoint, API surface, and notifications PubSub. They will know that the open-source software packages that Google Assured OSS maintains are held to high standards as the accompanying metadata provides tamper-evident provenance for how each package is built, scanned, and secured.
Open-source software supply chain
Assured OSS works by Google Cloud building key open-source packages end-to-end from source and actively securing each step of the software supply chain for an open source. Assured OSS lists and provided additional data on the transitive dependencies for each package.
Since these steps to secure open-source packages are long and complex, most organizations need more resources or experience to operate at the same level as Google Cloud, which is why Assured OSS will be a critical product to organizations.
Organizations can access the vast number of open-source packages currently maintained by Google Cloud’s Assured OSS. If the open-source package that you want to use is not in Google Cloud’s portfolio, you can request that a package be secured and managed through the Google Cloud managed service.
Potential benefits
Software supply chain simplification: With these features provided by Google Cloud’s Assured OSS service, a part of the software supply chain will be simplified, and the service will help ensure that the security of open-source software meets the standard and mitigates any potential risk of cyberattacks.
Early threat detection: Organizations can benefit significantly from Assured OSS because threats can be identified early in the software development process, helping to prevent potential damage that could cost a significant amount of money.
Align with compliance requirements: All packages within Google Cloud's Assured OSS portfolio follow SLSA requirements, including accompanying SBOM and VEX documents, and can be signature verified. Therefore, you can expect these open-source software packages to align with other compliance requirements such as PCI, DSS, and SOX.
Optimized application release cycle: If Assured OSS is embedded early in the software development process, applications can be released faster because Assured OSS reduces the software supply chain risk for using open-source software packages and cuts the resource and time allocation needed to scan and verify open-source software.
Reduce overall organizational risk exposure: Assured OSS will reduce the overall exposure to both vulnerability and software supply chain risks that organizations deal with when working with open-source software. As a result, organizations can scale and build applications faster when incorporating Assured OSS into their software development process.
With the growing importance of cybersecurity, Google Cloud’s Assured OSS is an excellent service to start and scale your applications. But implementing a new service to an established software chain supply can pose a significant challenge to many organizations as they must consider its effects on their people, processes, and programs.
What are the next steps an organization should take?
As an organization continues to grow, they must evaluate how their current process impacts them and how it can be changed. Therefore, when organizations want to add Assured OSS to their business, they should evaluate their open-source footprint on their cloud platform. Afterward, they should understand Assured OSS and evaluate the effects if one utilizes Assured OSS in their business. Finally, but certainly not the last step, is to map how Assured OSS can benefit business-critical applications that use open-source software.
KPMG is a Google Cloud partner and can guide you to effectively manage security risks, improve any security bottlenecks, and allow a more secure development flow to your business applications. KPMG also has been at the forefront of cloud security, and with our extensive cyber security experience, we can assist you in helping your organization stay secure and respond to incidents rapidly to mitigate any damages. KPMG has ventured into providing advanced services such as integrating security dev-ops and security policy as code. As such, KPMG has demonstrated success in the big cybersecurity space and will provide the best solutions.
Meet our team
Abhijeet Kulkarni
Managing Director, Advisory, Cyber Security Services, KPMG US
Abhijeet Kulkarni
Managing Director, Advisory, Cyber Security Services, KPMG US