Google has unveiled OSV-Scanner, a tool to assist open source developers in identifying vulnerabilities in the code they depend on. This program automatically matches developer code and dependencies against an extensive list of known issues and provides instant feedback if patches are necessary.
Google has also launched GUAC, an open source project that collects software security metadata into a high-fidelity graph database. This enables organizations to enhance audit processes, meet policy demands and offer developer assistance.
OSV-Scanner
Google has unveiled OSV-Scanner, a free tool designed to assist open source developers in detecting security flaws within their software. This free scanner utilizes Google’s vulnerability database to match up your code and dependencies with known issues that require patching.
Many open source projects rely on a vast number of dependencies, making it essential to monitor these external libraries in order to prevent vulnerabilities from entering your project. Manual methods often prove too time-consuming; thus automation is necessary in order to guarantee each dependency receives an update as soon as potential flaws are disclosed.
OSV-Scanner can examine the transitive dependencies your project utilizes by analyzing manifests, SBOMs, and commit hashes. It then links this data to the OSV database and displays vulnerabilities relevant to your endeavor.
The OSV database is a collaborative repository that stores vulnerability information in machine-readable form. It was designed to make it simpler for developers to locate data and share it with others.
To guarantee the accuracy of information in this database, it’s sourced from trustworthy sources. Furthermore, it’s community-led which means there will always be a wealth of valuable content.
It will also maintain its information in a machine-readable format, making it easy for developers to match it up with their package lists. The end result is an authoritative, high-quality vulnerability database that reduces manual effort when remediating packages.
Furthermore, OSV-Scanner will alert developers of any patches and updates necessary for their projects so they can apply them promptly. This automation is a vital component of fulfilling the 2021 US Executive Order on Cybersecurity which calls for this type of automated security measure.
Automating your vulnerability management processes is a wise idea, as this gives internal teams enough time to fix issues before hackers do. Vulnerability scanners are one of the quickest and most reliable ways of doing this.
OSS-Fuzz
In 2016, Google introduced OSS-Fuzz, a free service that runs fuzzers for open source projects. Since then, it has identified over 8,800 vulnerabilities and 288,000 bugs across 850 projects.
OSS-Fuzz also provides a central interface for all bugs detected. It sends email notifications to project maintainers and uses a dashboard to keep track of issues. Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code bases.
To be considered for integration into OSS-Fuzz, an open source project must fulfill a critical need in global infrastructure or be essential to other important open source initiatives that depend on it. The team then reviews each project based on its criticality score and other criteria related to integration into OSS-Fuzz.
Integration into OSS-Fuzz is done by writing a pull request to the Github repository of OSS-Fuzz. Afterwards, all of your project’s fuzzers will be run daily by the OSS-Fuzz server.
One of the unique aspects of OSS-Fuzz is that anyone can apply to write an integration for an open source project, regardless of their security expertise or lack thereof. This enables security engineers to focus on generalized fuzzing innovations which benefit all target projects while project developers do the parts which require less time but effort from security engineers (like learning the project’s build system).
Integrating into OSS-Fuzz is not a quick feat; it takes considerable effort on the project’s part. There are numerous factors to take into account, such as making sure your build system is compatible with OSS-Fuzz, having sufficient artifacts for fuzzing and making sure fuzzers run smoothly without causing other issues in the build system.
In addition to being a great way to detect open source vulnerabilities, OSS-Fuzz can also be employed for memory corruption detection in native code. Utilizing Jazzer, Google’s JVM-based fuzzing tool, it injects data into code running through the Java Native Interface in order to determine if any memory leaks exist.
OSS-Fuzz also offers a public reward program, rewarding developers who integrate their open source projects into the service. Prior to this change, rewards were only offered for C/C++ fuzzing; now researchers can receive up to $30,000 for uncovering security flaws in other languages.
GUAC
Google has unveiled a tool designed to detect open source vulnerabilities in software. Dubbed Graph for Understanding Artifact Composition (GUAC), this new system ingests data from different sources so as to better comprehend how security-related metadata is distributed throughout the software supply chain.
In 2021, the number of software supply chain attacks increased by 300% – an indication that malicious actors are looking for opportunities to exploit open source flaws. Companies are aware of these potential hazards but often lack insight into how software is developed or its source code. Regardless, companies continue to struggle with understanding the implications arising from lack of transparency surrounding source code development processes and procedures.
Organizations often rely on various types of data to assess a software product’s cybersecurity risk. These could include Software Bills of Materials (SBOMs), signed attestations about how it was built and cross-database vulnerability databases.
Analyzing these data points can be challenging due to their dispersal across different systems. GUAC automatically maps out the relationships between these records, enabling developers to assess the security of an application’s code components more easily.
GUAC is designed for companies to utilize before integrating a new software product into their environments. It can help businesses identify critical vulnerabilities in applications they use, thereby safeguarding users and customers alike.
According to a blog post, GUAC compiles strategic data from multiple sources in order to assist developers quickly review and assess security risks in their applications. Furthermore, it offers them new approaches for reducing security risks within those applications.
This new tool is being launched in collaboration with Citibank NA, Purdue University and Kusari. Additionally, a technical advisory group consisting of representatives from Shopify, Intel and IBM will provide support.
Google’s GUAC initiative is the latest in a long series of initiatives to protect software supply chains. This open-source project brings together various sources of software security metadata into an accessible graph database, representing an important step towards mitigating supply chain risk.
GitHub
Google is now introducing a tool to identify open source vulnerabilities in software projects. According to the search engine giant, this can assist developers identify security risks associated with components of an upcoming project and allow organizations to assess the potential damage from such issues before they are deployed.
Google has unveiled a new tool called GUAC, which they describe as an essential element of any organization’s software development lifecycle (SDLC). GUAC collects cybersecurity-related data points to decipher how those points are linked and then utilizes that insight for more complex analyses.
GitHub is an online repository for software projects, providing developers with convenient access to code from anywhere at anytime. Unfortunately, GitHub can also pose security risks to a project.
Companies should regularly scan open source libraries used in their project to detect potential security flaws and address them quickly.
Computer Weekly previously reported that it can be challenging to determine which open source libraries contain vulnerabilities due to their many incorporations of other software modules maintained by third parties.
This is where the new tool can come in handy, as it will scan for vulnerabilities in these modules and guarantee all dependencies are patched.
According to a blog post, OSV-Scanner can be used for scanning through your project’s dependencies to check for vulnerabilities, as well as identifying and tracking module versions. It will then send notifications if any issues are discovered.
The OSV-Scanner allows you to submit a report which will be automatically submitted to GitHub. Once accepted, the tool will send you a notification that the issue has been corrected and also notify your project’s maintainers, informing them that their dependencies have now been secured.
GitHub recently introduced secret scanning alerts, alerting developers when their repositories have leaked secrets. With some secrets taking up to 327 days to locate, this is an essential step in helping developers detect and respond to the exposure of their secrets.
