The Open Source Security Team at Google has recently introduced GUAC (Graph for Understanding Artifact) v0.1, a tool designed for security professionals. GUAC focuses on metadata synthesis and aggregation, addressing the requirement outlined in the U.S. Executive Order on Cybersecurity. This tool aims to assist security professionals in assessing the security posture of the supply chain.
Brandon Lum and Mihai Maruseac from Google Open Source Security Team announced the launch in a blog post. GUAC acknowledges the importance of consolidating information from diverse sources, and therefore, aggregates software security metadata and aligns it with a standardized concept library that pertains to the software supply chain.
As supply chains evolve on a daily basis, GUAC continuously updates its database by incorporating the most up-to-date threat information and analytics from external data sources. These sources include Software Bill of Materials (SBOMs), Supply-chain Levels for Software Artifacts (SLSA), and OSS insights.
Source: GUAC Docs
By studying how enterprises reacted to Log4shell, we observed that maintaining a unified SBOM repository has proven beneficial for organizations. This approach has allowed them to track vulnerabilities and strategize their response accordingly. Following the U.S. Executive Order on Cybersecurity, the generation of numerous SBOMs during build and release workflows has made their management cumbersome. GUAC addresses this challenge by linking documents and using heuristics to improve data quality. The GUAC community is actively collaborating with SPDX to advance SBOM tooling and improve the accuracy of metadata.
During a panel discussion at CloudNativeSecurityCon 2023, GUAC was endorsed as a valuable tool for understanding, utilizing, and deriving meaning from SBOMs. The discussion also highlighted the absence of a current standard method for distributing SBOMs, emphasizing the potential for automation in this area.
Lum and Maruseac emphasized that GUAC users have the capability to develop integrations that enable policy creation based on trust, prompt response to security breaches, and create upgrade plans in the event of a security incident. Additionally, they can create CLI tools for extensive analysis and incident response, as well as IDE plugins for proactive policy enforcement.
Early adopters have provided positive feedback for GUAC. Hemil Kadakia, Sr manager of software dev engineering from the Information Security Team (Paranoids) at Yahoo, said,
At Yahoo, we have found immense value and significant efficiency by utilizing the open-source project GUAC. GUAC has allowed us to streamline our processes and increase efficiency in a way that was not possible before.
Dejan Bosanac, principal software engineer at Red Hat and active contributor to the GUAC project, said,
With mechanisms to ingest and certify data from various sources and GraphQL API to later query those data, we see it as a good foundation for our current and future SSCS efforts. Being a true open source initiative with a welcoming community is just a plus.
Interested readers can learn more about GUAC via the community page.