Funtap - stock.adobe.com

Google launches new supply chain security offerings

Securing the software supply chain, especially open source libraries, was a major theme behind the new products released at the Google Cloud Next '22 conference.

Google looks to sew up software supply chain and open source security weaknesses with two new initiatives.

Software Delivery Shield (SDS) and Assured Open Source Software (OSS) were just two of several offerings launched during the Google Cloud Next '22 conference Tuesday to address the most current threats to supply chain security. Some of those products will include incident response and exposure management capabilities from Google's acquisition of Mandiant, which became official last month.

Google Cloud hosted a virtual press conference last week with Phil Venables, CISO of Google Cloud; Sunil Potti, vice president and general manager at Google Cloud; and Kevin Mandia, CEO of Mandiant, to provide an acquisition update and discuss which enterprise concerns the products address.

A key concern discussed during the event was supply chain security -- specifically, open source software that could contain hidden and unpatched vulnerabilities or even malicious code.

"Open source tends to be one of the weakest links in the enterprise," Potti said during the press conference.

He went on to say that Google Cloud's Assured OSS service, which was introduced in May and is currently in preview mode, is a "game changer." In a blog post detailing the products, Google Cloud said open source software "now helps power nearly all of our public infrastructure and is highly prevalent in most proprietary software."

One of the main problems with open source software, demonstrated by the recent rediscovery of a 15-year-old Python vulnerability, is a lack of support and monitoring. Google's Assured OSS will scan, analyze and fuzz-test for vulnerabilities so that companies can use vetted packages.

"From what we know, it's the first-to-market offering," Potti said. "It starts with a healthy set of Java and Python that we compared notes with customers on their top needs. We expect the list of packages to go from hundreds to thousands very quickly."

Assured OSS is part of SDS, which is a set of tools intended to help companies build secure cloud applications and cover concerns along the software supply chain. Google said SDS is designed to improve security in five key areas of the software supply chain: application development, software supply, continuous integration/continuous delivery, production environments and policies.

Potti said supply chain security has been a topic particularly since Log4Shell -- a vulnerability in an Apache framework for Java -- was exploited in attacks against a large number of organizations beginning in December 2021.

The threat to supply chains is amplified by nation-state actors that are also taking advantage of unpatched flaws and zero-day vulnerabilities such as the ProxyLogon vulnerabilities found in Microsoft Exchange Server.

"Nation-state actors are increasingly spending more time not just on governments, but on enterprises of all sizes," he said. "The big banks to the small credit unions."

Potti said SDS combines previous initiatives like the Open Source Security Foundation, which Google co-founded, as well as the end-to-end framework it created in 2021 called Supply Chain Levels for Software Artifacts.

Google Chronicle, Mandiant updates

Chronicle Security Operations is another new initiative launched during Google Cloud Next that is an assimilation of previous products. Chronicle was launched a standalone cybersecurity company under the Google Cloud Platform to assist enterprises in pulling and analyzing vast amounts of data with services such as VirusTotal and Backstory.

Now, Google said, with increasingly sophisticated threat actors, data is becoming more intensive than ever before.

The new Security Operations software suite is designed to help companies investigate and detect cloud threats, particularly with the new challenges that hybrid work environments present. It combines Chronicle's SIEM technology with the security orchestration, automation and response tools from Google Cloud's acquisition of SOAR startup Siemplify in January. Additional incident and exposure management capabilities from the recent Mandiant acquisition will be added to Chronicle Security Operations in the future.

Google agreed to acquire Mandiant in March and completed the deal in September. During the press conference, Mandia said the incident response vendor will gain from Google Cloud's insight and reach to customers.

"We couldn't get to amplifying how the attackers are circumventing the common safeguards today. Joining forces with Google made tremendous sense because of Google Cloud," he said. "It allows the amplification of our knowledge and our capability to stop the most current attacks that organizations are having to deal with."

Google will also help Mandiant add automated capabilities, which Mandia said is "what everyone wants." He applauded Google's analytics and AI proficiency, and said the capabilities will be added to Mandiant's security operations. More importantly, he emphasized how it will help with defense techniques against new threats and novel attacks.

"Every board or CEO wants to know, 'How good are we?'" Mandia said. "The best way to get an answer is to test it."

Next Steps

Orca: Google Cloud design flaw enables supply chain attacks

Dig Deeper on Application and platform security