Google has announced two new initiatives to increase the security and dependability of open-source software packages developers use. The first one is Deps.dev, a free API service offering complete dependency and security information for over 5 million packages written in various programming languages.
The second initiative launched by Google is the Assured Open Source Software (Assured OSS) public service. This service provides development teams with a repository of secure packages for Python and Java, curated by Google itself. This move by Google is timely amid recent reports of malware in developer repositories. The Assured OSS repository aims to mitigate the risks associated with using open-source software packages, especially for private and in-house developers who keep frequently used repositories in their local repositories to minimize potential risks if the public version of a popular package is compromised. This procedure can cause security fixes to be delayed for an extended period, compromising the final product’s security.
The Assured OSS repository curated by Google specialists will make the development process safer and more reliable. Many studies have shown that organizations frequently use outdated and vulnerable versions of open-source components in their applications, which poses significant risks. Google’s repository is designed to solve this problem by providing development teams with a curated list of secure packages that they can use confidently.