Google Unveils Open Source Project to Improve Software Supply Chain Security

Security

Google called for contributors on Thursday to a new open source project named Graph for Understanding Artifact Composition (GUAC) as part of its efforts to improve software supply chain security.

According to the tech giant, GUAC is still in the early stages, but it is set to change how the industry perceives software supply chains.

“GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata,” Google wrote in a blog post.

“True to Google’s mission to organize and make the world’s information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

According to Google, collaboration in groups such as Open Source Security Foundation (OpenSSF), Supply Chain Levels for Software Artifacts (SLSA), Software Package Data Exchange (SPDX) and CycloneDX enables organizations to have ready access to a number of technologies, including Software Bills of Materials (SBOMs), signed attestations about how software was built and cross-database vulnerability databases.

“These data are useful on their own, but it’s difficult to combine and synthesize the information for a more comprehensive view,” reads the blog post.

“The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization’s software assets.”

GUAC has been created to address these issues by bringing together many different sources of software security metadata, also thanks to partnerships between the tech giant, Kusari, Purdue University and Citi.

From a technical standpoint, GUAC has four main areas of functionality: collection of metadata from a variety of sources of software security databases, ingestion of said data, collation into a coherent graph and querying for a given artifact to view its SBOM, provenance, build chain, project scorecard, vulnerabilities, etc.

“GUAC aggregates and synthesizes software security metadata at scale and makes it meaningful and actionable,” Google wrote.

“We’re excited to share the project’s proof of concept, which lets you query a small dataset of software metadata, including SLSA provenance, SBOMs, and OpenSSF Scorecards.”

The creation of GUAC comes months after Google announced a new program designed to reward researchers that find bugs in its open source projects.

Products You May Like

Articles You May Like

Pro-Russian Hacktivists Target South Korea as North Korea Joins Ukraine War
Amazon MOVEit Leaker Claims to Be Ethical Hacker
EU Ramps Up Cyber Resilience with Major Crisis Simulation Exercise
Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)

Leave a Reply

Your email address will not be published. Required fields are marked *