Verifiable design in modern systems

Posted by Ryan Hurst, Production Security Team The way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software. One of the ways we can do that […]

Continue Reading

Measuring Security Risks in Open Source Software: Scorecards Launches V2

Posted by Kim Lewandowski, Azeem Shaikh, Laurent Simon, Google Open Source Security Team Contributors to the Scorecards project, an automated security tool that produces a ā€œrisk scoreā€ for open source projects, have accomplished a lot since our launch last fall. Today, in collaboration with the Open Source Security Foundation community, we are announcing Scorecards v2. […]

Continue Reading

Get ready for the 2021 Google CTF

Posted by Kristoffer Janke, Information Security Engineer Are you ready for no sleep, no chill and a lot of hacking? Our annual Google CTF is back! The competition kicks off on Saturday July 17 00:00:01 AM UTC and runs through Sunday July 18 23:59:59 UTC. Teams can register at http://goo.gle/ctf. Just like last year, the […]

Continue Reading

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

Posted Kim Lewandowski, Google Open Source Security Team & Mark Lodato, Binary Authorization for Borg Team  Supply chain integrity attacksā€”unauthorized modifications to software packagesā€”have been on the rise in the past two years, and are proving to be common and reliable attack vectors that affect all consumers of software. The software development and deployment supply […]

Continue Reading

Verifiable Supply Chain Metadata for Tekton

Posted by Dan Lorenc, Priya Wadhwa, Open Source Security TeamIf you’ve been paying attention to the news at all lately, you’ve probably noticed that software supply chain attacks are rapidly becoming a big problem. Whether you’re trying to prevent these attacks, responding to an ongoing one or recovering from one, you understand that knowing what […]

Continue Reading

Announcing New Abuse Research Grants Program

Posted by Anna Hupa,  Marc Henson, and Martin Straka, Google VRP Team  Our Abuse Bug Bounty program has proved tremendously successful in the past three years since its introduction ā€“ thanks to our incredibly engaged community of researchers. Their contributions resulted in +1,000 valid bugs, helping us raise the bar in combating product abuse, As […]

Continue Reading