EP131 A Deep Dive into Google's Assured OSS: How Google Secures the Software You Use

Guests:

• Himanshu Khurana, Engineering Manager, Google Cloud

• Rahul Gupta, Product Manager for Assured OSS, Google Cloud

Topics:

• For the software you're supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?

• So what is Assured Open Source?

• Do we really guarantee its security? What does "guarantee" here mean?

• What're users actually paying for here?

• What's the Google magic here and why are we doing this?

• Do we really audit all code and fuzz for security issues?

• What's a supply chain attack and then we'll talk about how this is plugging into those gaps?

Resources:

• Assured Open Source Software page

• "SBOMs: A Step Towards a More Secure Software Supply Chain" (ep116)

• "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (ep24)

• SLSA.dev blog

• Open Source Security Podcast

• Mandiant M-Trends 2023