Highlights:
- Users can utilize GUAC to query metadata, such as scorecard papers, SLSA provenance, and SBOMs, to confirm the security and integrity of their software supply chain.
- The development of a centralized tool to consolidate SBOMs from many open-source projects can potentially improve open-source security as a whole.
This year, a significant theme in enterprise security has been the development of open-source security. An Executive Order (EO) was released urging businesses to provide an accurate software bill of materials in response to a series of supply chain attacks on software vendors, including SolarWinds and Colonial Pipeline (SBOM).
In a bid to push this effort, Google launched a new open-source project, Graph for Understanding Artifact Composition (GUAC), a tool that can aggregate security metadata from several open-source projects and show it as part of a single graph.
Users can utilize GUAC to query metadata, such as scorecard papers, SLSA provenance, and SBOMs, to confirm the security and integrity of their software supply chain.
For businesses, GUAC offers a way to audit open-source applications and enhance transparency regarding the SBOMs used as part of other open-source solutions.
Auditing the software supply chain
The announcement coincides with a 300% surge in software supply chain threats in 2021. Software vendors are aware that threat actors deliberately seek open-source vulnerabilities to attack, particularly those as widespread as Log4j.
It also comes at a time when Google is partnering with groups, including OpenSSF, SLSA, SPDX, and CycloneDX, to offer ready access to SBOMs, signed attestations on how software was produced via SLSA, SLSA3 GitHub Actions Builder, and vulnerability databases easily accessible.
The development of a centralized tool to consolidate SBOMs from many open-source projects can potentially improve open-source security as a whole.
Brandon Lum, the senior Google Open Source Security Team software engineer, said, “The EO and OMB [Office of Management and Budget] requirements have driven a huge surge in the creation of SBOMs and other software metadata. However, now that we have a sea of metadata documents, what do we do with them? GUAC provides a way to make sense of the chaos of software metadata.”
Visibility over this metadata is crucial for enabling organizations to manage the security of open-source software and dependencies.
Brandon Lum said, “Effectiveness of policies and risk management depends on the quality of software metadata available. GUAC provides deeper insight into an organization’s software catalog, providing better visibility, automation, and risk management.”
Data sources GUAC can obtain data from open and public datasets, such as OSV, first-party internal repositories, and third-party solutions, such as data providers’ internal systems. GUAC imports information on artifacts, projects, resources, vulnerabilities, repositories, and developers.
What’s its role in open-source security?
GUAC provides a solution for CISOs to identify vulnerable software supply chain components.
As highlighted in the announcement blog post, users will be able to identify the most frequently used critical components in the software supply chain, weak points, risky dependencies, and whether binaries can be traced to a securely managed repository, among other things, and ultimately find ways to prevent compromises.