Google’s Breakthrough Framework for Secure Software Supply Chains
Google on Wednesday announced 0.1 Beta version from GUAC (short for Graphs for Understanding Artifact Composition) for organizations to secure their software supply chain.
For that, this search giant provide an open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to combine software security metadata from multiple sources into a graphical database that maps relationships between software, helping organizations determine how one software affects another.
“Graphs to Understand Artifact Composition (GUAC) provide you with organized and actionable insights into the security position of your software supply chain,” Google say in the documentation.
“GUAC digests software security metadata, such as SBOM, and maps relationships between software so you can fully understand your software’s security position.”
In other words, it’s designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and internal company private metadata to help build a better picture of risk profiles and visualize relationships. between artifacts, packages, and repositories.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
With such a setup, the goal is to address high-profile supply chain attacks, create patch plans, and quickly respond to security breaches.
“For example, GUAC could be used to certify that the author was compromised (for example, through a credential leak or ingesting malware) and then query the affected artifacts,” Google said.
“This allows (the chief information security officer) to easily create policies to prohibit the use of any software from within the blast radius.”