Home United States USA — IT Worried about the security of your code's dependencies? Try Google's Deps.dev

Worried about the security of your code's dependencies? Try Google's Deps.dev

182
0
SHARE

Is this what the kids mean by owning the libs?
In early 2002, then Microsoft chairman Bill Gates issued his Trustworthy Computing memo to ensure that computing “is as available, reliable and secure as electricity, water services and telephony.”
Two decades later, utilities and public infrastructure in the US are generally available but could be more reliable and more secure, and Windows, like other major operating systems, still falls short of Gates’s goal. The vulnerabilities in the software – open source and proprietary – continue to plague computing. And as computing devices proliferate, so too do the potential consequences of compromised code.
This has become a matter of national concern. The White House issued its own directives last year, spurred on by damaging security incidents like Log4Shell and the SolarWinds cyberattacks. It has become clear that the volunteerism that makes so much open source code available needs to be supported, in terms of financing, security, and coordination, in order to ensure the availability, reliability, and security of computers and all the products and infrastructure that rely on them.
On Tuesday, Google – which has answered the government’s call to secure the software supply chain with initiatives like the Open Source Vulnerabilities (OSV) database and Software Bills of Materials (SBOMs) – announced an open source software vetting service, its deps.dev API.
The API, accessible in a more limited form via the web, aims to provide software developers with access to security metadata on millions of code libraries, packages, modules, and crates.

Continue reading...