Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Safeguarding against open-source software vulnerabilities

Explore how Assured Open-Source Software from Google Cloud can help reduce open-source software security risks

Modernize and innovate with Google Cloud Security

In 2021, the Open Web Application Security Project (OWASP) 1 tested over 100,000 applications for security vulnerabilities and found the top two issues were: Broken access control, where users would have unauthorized access to certain information, and cryptographic failure, where the failure of strong cryptography leads to sensitive data exposure. OWASP found that 94 percent of applications were tested for some form of broken access control.2

The growing shift into open-source software is due to the benefits that make organizations prefer using open-source software:

  1. People can look at the source code and check if it is doing anything malicious, and if there is something that they don’t like, they can modify it.
  2. Sometimes the creator of the open-source software may not be able to contribute anymore. Still, since the software is available for anyone to modify, other people can work on it instead.
  3. Open-source software can create a tight-knit community of users and developers that help test, use, and promote the software.

As such, open-source software has increased in popularity and has become many people’s preferred choice of how to approach software development.

Security concerns with open-source software

Along with the increase in popularity, many open-source software applications are part of digital supply chains that have been involved in cyberattacks. In 2022, the Information Systems Audit and Control Association (ISACA) 3 surveyed more than 1,300 IT professionals with supply chain visibility. ISACA reported that 25 percent of the professionals reported that their organization experienced attacks on its digital supply chain in the last 12 months.4 The survey respondents named five security concerns in their supply chain:

  • Ransomware
  • Poor information security practices by suppliers
  • Software security vulnerabilities
  • Third-party data storage
  • Third-party service providers or vendors with physical or virtual access to information systems, software code, or IP

Forty-seven percent of the professionals said their organizations do not perform scanning and penetration testing on their digital supply chain. Some of these attacks aimed to exploit weaknesses in upstream open-source ecosystems.

To reduce open-source security risks, Google Cloud introduced Assured Open-Source Software (Assured OSS). This new solution by Google Cloud is designed to help users of open-source software easily incorporate the same trusted, curated, and secured OSS packages that Google uses in its developer workflows.

Features of Assured OSS

Google Cloud has a portfolio of open source software that they maintain. Assured OSS is a trusted repository of curated OSS packages that have been scanned for vulnerabilities that can incur tremendous damage to organizations. The process of scanning open-source software can be costly if an organization does not have dedicated resources for it. Assured OSS handles the entire process of scanning for vulnerabilities, cutting down the cost of scanning open-source software significantly for organizations.

Detailed data

Assured OSS provides enriched metadata and analysis via assured and signed SBOMs and VEX data in industry-standard formats.  These provide increased transparency to customers, in a signed and verifiable way, into the end-to-end build process for each curated Assured OSS artifact, including their transitive dependencies. Organizations can easily access this data to configure or modify any part of the open-source software to fit their business needs.

Developer friendly

Since Assured OSS is part of Google Cloud, the packages in the Assured OSS portfolio are built with Cloud Build and include evidence of verifiable Supply chain Levels for Software Artifacts (SLSA) compliance. This process ensures that the open-source software you are using is up to date and follows the requirements of SLSA. This is a step forward in securing the software supply chain and helps increase developer efficiency as they get their OSS packages from a known and trusted supplier.

Simple distribution

Open-source packages in the Assured OSS portfolio are verifiably signed by Google and distributed to customers from a Google Cloud managed, secured, and protected Artifact Registry and Storage services. Organizations and individuals can self-serve their enrollment and access to Assured OSS's secured endpoint, API surface, and notifications PubSub. They will know that the open-source software packages that Google Assured OSS maintains are held to high standards as the accompanying metadata provides tamper-evident provenance for how each package is built, scanned, and secured.

Open-source software supply chain

Assured OSS works by Google Cloud building key open-source packages end-to-end from source and actively securing each step of the software supply chain for an open source. Assured OSS lists and provided additional data on the transitive dependencies for each package.

Since these steps to secure open-source packages are long and complex, most organizations need more resources or experience to operate at the same level as Google Cloud, which is why Assured OSS will be a critical product to organizations.

Organizations can access the vast number of open-source packages currently maintained by Google Cloud’s Assured OSS. If the open-source package that you want to use is not in Google Cloud’s portfolio, you can request that a package be secured and managed through the Google Cloud managed service.

Potential benefits

Software supply chain simplification: With these features provided by Google Cloud’s Assured OSS service, a part of the software supply chain will be simplified, and the service will help ensure that the security of open-source software meets the standard and mitigates any potential risk of cyberattacks.

Early threat detection: Organizations can benefit significantly from Assured OSS because threats can be identified early in the software development process, helping to prevent potential damage that could cost a significant amount of money.

Align with compliance requirements: All packages within Google Cloud's Assured OSS portfolio follow SLSA requirements, including accompanying SBOM and VEX documents, and can be signature verified. Therefore, you can expect these open-source software packages to align with other compliance requirements such as PCI, DSS, and SOX.

Optimized application release cycle: If Assured OSS is embedded early in the software development process, applications can be released faster because Assured OSS reduces the software supply chain risk for using open-source software packages and cuts the resource and time allocation needed to scan and verify open-source software.

Reduce overall organizational risk exposure: Assured OSS will reduce the overall exposure to both vulnerability and software supply chain risks that organizations deal with when working with open-source software. As a result, organizations can scale and build applications faster when incorporating Assured OSS into their software development process.

With the growing importance of cybersecurity, Google Cloud’s Assured OSS is an excellent service to start and scale your applications. But implementing a new service to an established software chain supply can pose a significant challenge to many organizations as they must consider its effects on their people, processes, and programs.

What are the next steps an organization should take?

As an organization continues to grow, they must evaluate how their current process impacts them and how it can be changed. Therefore, when organizations want to add Assured OSS to their business, they should evaluate their open-source footprint on their cloud platform. Afterward, they should understand Assured OSS and evaluate the effects if one utilizes Assured OSS in their business. Finally, but certainly not the last step, is to map how Assured OSS can benefit business-critical applications that use open-source software.

KPMG is a Google Cloud partner and can guide you to effectively manage security risks, improve any security bottlenecks, and allow a more secure development flow to your business applications. KPMG also has been at the forefront of cloud security, and with our extensive cyber security experience, we can assist you in helping your organization stay secure and respond to incidents rapidly to mitigate any damages. KPMG has ventured into providing advanced services such as integrating security dev-ops and security policy as code. As such, KPMG has demonstrated success in the big cybersecurity space and will provide the best solutions.


  1. Source: OWASP, “Top 10 Web Application Security Risks (2021)” (September 21, 2021).
  2. Ibid
  3. Source: Information Systems Audit and Control Association, “Supply Chain Security Gaps: A 2022 Global Research Report” (June 6, 2022).
  4. Ibid

Meet our team

Image of Abhijeet Kulkarni
Abhijeet Kulkarni
Managing Director, Advisory, Cyber Security Services, KPMG US

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.