Google’s GUAC aims to democratize software supply chain security metadata


A new open source initiative announced by Google this week could advance industry-wide efforts to address software supply chain security issues.

The project is called GUAC, or Graph for Understanding Artifact Composition. Once available, GUAC will provide developers, security teams, auditors, and other business stakeholders with a central source of information about the security, provenance, and overall reliability of individual components in their applications and databases. coded.

GUAC will collect and synthesize all the information necessary for such an analysis – such as software nomenclature, information on known vulnerabilities, and signed attestations of how a particular software may have been built – from multiple sources. Users will be able to query GUAC for information about the most used critical components in their software, associated dependencies, and any weaknesses and vulnerabilities they contain.

According to Google, GUAC will also allow software and security teams to determine whether an application they are about to deploy meets organizational policies and whether all binaries in production can be traced back to a secure repository.

Multiple Use Cases

In addition to being useful from a proactive security and operational security perspective, GUAC will also help organizations respond more effectively to identified threats, Google said. For example, when a new vulnerability is revealed, organizations will be able to use GUAC to determine which parts of their software inventory might be affected. Likewise, if an open source component has become obsolete, GUAC can help development and security teams quickly assess the impact on their environment.

Brandon Lum, senior software engineer with Google’s open source security team, says organizations will be able to deploy GUAC internally or use it as an external source to verify their software metadata.

“The GUAC will rely on a variety of sources, including GitHub, Sigstore, and open source package managers,” Lum says. “If performed within an organization, GUAC can be configured to pull from internal sources and may include organization- or vendor-specific claims or certifications.”

Many of these are capabilities that large organizations have begun to implement in response to growing concerns about vulnerabilities and risks in the software supply chain. Attacks on companies like solar winds and codecov showed how threat actors could compromise large-scale organizations by implanting malware in software updates from trusted vendors.

More recently, threat actors have begun planting malicious code in widely used public code repositories in an attempt to trick development teams and automated build tools into uploading the malware to their organizations.

Increased worry

The trend is pushing organizations to pay greater attention to the security of their software components. It places more emphasis on practices such as generating or requiring a software bill of materials (SBOM) for their software and using security frameworks such as supply chain tiers for software artifacts. (SLSA) to protect against tampering and vulnerable components. An executive order signed by President Biden in May 2021 explicitly requires all federal civilian executive branch agencies maintain SBOMs for software they develop in-house and need it for any software they buy from an external vendor or contractor.

Much of the information needed by organizations to control their software supply chain already exists in various forms. GUAC will bring all data together in a standard form and democratize its availability, according to Google.

Anyone can use GUAC, says Lum. “GUAC is designed to work [both] as a public service or internally in an organization,” he says. “For example, an organization might run GUAC internally for its proprietary software and query a public instance for a vendor or open source software.

Nigel Houghton, Director of Market and Ecosystem Development at ThreatQuotient, explains that there are several processes and tools associated with software supply chain security, such as those for generating SBOMs or checksums. and signatures that can be used to validate particular software.

“There are many such sources of information, but no real way to consolidate this information in one place,” says Houghton. “[GUAC] is an attempt to do so and is desperately needed in the industry.”

Houghton believes that GUAC benefits both consumers and producers of software by allowing greater visibility into the security of the software supply chain.

“It gives vendors the ability to show their software supply chain security and also gives them visibility into their own supply chain security that they can better manage,” he said. “But, ultimately, the consumer benefits the most because it means they can also validate the supply chain for the software they buy or use.”

GUAC prototype

GUAC is a good start to solving a difficult problem, says Scott Gerlach, co-founder and CSO of API security testing provider StackHawk. The trick will be to involve open source developers in this kind of program.

“What is their motivation? asks Gerlach. “More often than not, these are people who work on projects out of a passion for problem solving and a deep curiosity. Getting OSS developers involved will be key to GUAC’s success.”

It’s a view that Houghton also shares. “The biggest challenge here will be adoption by the software industry as a whole,” he says. But since GUAC is a project that falls under OpenSSF, it should have a good chance of being adopted at least for Linux-based projects, he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, sees other problems. “Consolidating and standardizing the large amount of data they plan to ingest will be the first challenge,” he says. The other is to find a way to visualize the data in a way that is both useful and usable.

“If they can accomplish that, it’ll be a lot easier to get people to accept it and use it,” he says.

Google developed a prototype version of GUAC in collaboration with researchers from software supply chain security startup Kusari, Citi and Purdue University. The company is currently seeking contributors to the effort.


About Author

Comments are closed.