Google’s open source security team recently introduced GUAC (Graph for Understanding Artifact) v0.1, a tool designed for security professionals. GUAC focuses on synthesizing and aggregating metadata, addressing the requirements outlined in the US Executive Order on Cybersecurity. This tool is intended to help security professionals assess the security posture of their supply chains.

Brandon Lum and Mihai Maruseac of the Google Open Source Security Team announced the announcement in a blog post. GUAC recognizes the importance of integrating information from a variety of sources, thus aggregating software security metadata and aligning it with standardized conceptual libraries related to his chain of software supply. .

As the supply chain evolves daily, GUAC continuously updates its database to incorporate the latest threat information and analysis from external data sources. These sources include Software Bill of Materials (SBOM), Supply Chain Level of Software Artifacts (SLSA), and OSS insights.

Source: GUAC documentation

After investigating how companies responded to Log4shell, we found that maintaining a unified SBOM repository was beneficial to the organization. This approach has enabled us to track vulnerabilities and plan our response strategies accordingly. Due to the number of his SBOMs generated during the build and release workflow, according to the US Executive Order on Cybersecurity, management became cumbersome. GUAC addresses this challenge by linking documents and using heuristics to improve data quality. The GUAC community is actively working with SPDX to advance the SBOM tools and improve metadata accuracy.

A panel discussion at CloudNativeSecurityCon 2023 endorsed GUAC as a valuable tool for understanding, using, and deriving meaning from SBOM. The discussion also highlighted the lack of a current standard method for distributing SBOMs, highlighting the potential for automation in this area.

Lum and Maruseac emphasized the ability of GUAC users to develop integrations that enable them to create trust-based policies, respond quickly to security breaches, and create upgrade plans in the event of a security incident. Did. Additionally, you can create CLI tools for extensive analysis and incident response, and IDE plugins for proactive policy enforcement.

Early adopters have provided GUAC with positive feedback. Hemil Kadakia, senior manager of software development engineering on Yahoo’s information security team (Paranoids) said:

Leveraging the open source project GUAC has provided immense value and significant efficiency at Yahoo. GUAC has allowed us to streamline processes and increase efficiency in ways that were not possible before.

Dejan Bosanac, Principal Software Engineer at Red Hat and an active contributor to the GUAC project, said:

With mechanisms to ingest and authenticate data from various sources, and a GraphQL API to query that data later, we believe this is a great foundation for current and future SSCS efforts. Being a true open source initiative with a welcoming community is a real plus.

Interested readers can learn more about GUAC through various methods described on the community page.

