News, news analysis, and commentary on the latest trends in cybersecurity technology.

Google Tackles Open Source Security With New Dependency Service

With deps.dev API and Assured OSS, Google is addressing the common challenges software developers face in securing the software supply chain.

a black slate with a blue frame with a word cloud showing the words open source software in big letters.
Source: cacaroot via iStock

In a bid to reduce software supply chain risks in the open source software ecosystem, Google launched a free API service providing dependency data and security-related information on over 5 million software components across different programming languages.

Attackers are increasingly injecting malicious code into widely used open source components or dependencies to compromise software projects. According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack, the second most common method used. The most common is using exploits targeting vulnerabilities in code.

The free deps.dev API allows developers to find out information about the packages they are thinking of using, such as what versions are available, software license being used, and which dependencies are included in the package. The information comes from the security metadata collected by Google's Open Source Insights team. The metadata comes from multiple sources for 5 million packages with 50 million versions found in the Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust) public registries. The metadata includes transitive dependency graphs, license information, security advisory impact reports, and OpenSSF Security Scorecard information.

Support for NuGet (.NET framework) packages is on the roadmap, Google said.

Google has already integrated the deps.dev API into Graph for Understanding Artifact Composition (GUAC) to build SBOMs, and other integrations -- such as an integrated development environment (IDE) plugin to provide dependency information, hooking into continuous integration/continuous delivery (CI/CD) frameworks to prevent vulnerable code from being deployed, identifying unknown files in software inventory management tools, and using visualization tools to generate dependency graphs -- are in the works.

"Software supply chain security is hard, but it’s in all our interests to make it easier," the Google Open Source Security Team said in a blog post. "Every day, Google works hard to create a safer internet, and we’re proud to be releasing this API to help do just that and make this data universally accessible and useful to everyone."

Safer Than Local Repos

As part of the company’s efforts to improve open source software security, Google Cloud also announced general availability for the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems. Assured OSS allows organizations to incorporate the same open source packages Google secures and uses into their own developer workflows. When the service was originally announced in May 2022, it launched with 278 packages. Now it contains over 1,000 Java and Python packages, including projects such as TensorFlow, Pandas, and Scikit-learn.

Many organizations maintain private repositories of commonly used packages instead of always connecting to public repositories. While there are benefits to this approach, it also puts the onus of regularly updating the packages in the local repository whenever the official package is changed onto the organization. Many developers wind up pulling outdated and vulnerable versions of open source packages as a result.

Using this service would help reduce risk as Google is actively scanning these packages to find and fix vulnerabilities. The vulnerabilities are fixed and “quickly contributed back upstream to limit the exposure time and blast radius,” Google Cloud’s group product manager of security and privacy Andy Chang wrote in the announcement.

The service provides Assured SBOMs (Software Bill of Materials) so that organizations know what dependencies are included in those packages. That way, if a vulnerability is disclosed in a dependency, organizations using the service would have a easier time finding out if they are impacted, even if the dependency is buried deep down in the software.

About the Author

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights