Google on Thursday announced that it’s seeking contributors to a
new open source initiative called Graph for Understanding
Artifact Composition, also known as GUAC, as part of its
ongoing efforts to beef up the software supply chain[1].
“GUAC addresses a need created by the burgeoning efforts across
the ecosystem to generate software build, security, and dependency
metadata,” Brandon Lum, Mihai Maruseac, and Isaac Hepworth of
Google said[2]
in a post shared with The Hacker News.
“GUAC is meant to democratize the availability of this security
information by making it freely accessible and useful for every
organization, not just those with enterprise-scale security and IT
funding.”
Software supply chain has emerged[3]
a lucrative[4]
attack vector[5]
for threat actors, wherein exploiting just one weakness — as seen
in the case of SolarWinds[6]
and Log4Shell[7]
— opens a pathway long enough to traverse down the supply chain
and steal sensitive data, plant malware, and take control of
systems belonging to downstream customers.
Google, last year, released a framework called SLSA[8]
(short for Supply chain Levels for Software Artifacts) that aims to
ensure the integrity of software packages and prevent unauthorized
modifications.
It has also launched an updated version of Security Scorecards[9], which identifies[10] the risk third-party
dependencies can introduce to a project, allowing developers to
make informed decisions about accepting vulnerable code or
considering other alternatives.
This past August, Google further introduced[11] a bug bounty program to
identify security vulnerabilities spanning a number of projects
such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia.
GUAC is the company’s latest effort to bolster the health of the
supply chain. It achieves this by aggregating software security
metadata from a mix of public and private sources into a “knowledge
graph” that can answer questions about supply chain risks.
The data that undergirds this architecture is derived from
Sigstore[12], GitHub, Open Source
Vulnerabilities[13] (OSV[14]), Grype[15], and Trivy[16], among others, to
derive meaningful relationships between vulnerabilities, projects,
resources, developers, artifacts, and repositories.
“Querying this graph can drive higher-level organizational
outcomes such as audit, policy, risk management, and even developer
assistance,” Google said.
Put differently, the idea is to connect the different dots
between a project and its developer, a vulnerability and the
corresponding software version, and the artifact and the source
repository it belongs to.
The aim, therefore, is to not only enable organizations to
determine if they are affected by a specific vulnerability, but
also estimate the blast radius should the supply chain be
compromised.
That said, Google also appears to be cognizant of the potential
threats that could undermine GUAC, including scenarios where the
system is tricked into ingesting forged information about artifacts
and their metadata, which it expects to mitigate through
cryptographic verification of data documents.
“[GUAC] aims to satisfy the use case of being a monitor for
public supply chain and security documents as well as for internal
use by organizations to query information about artifacts that they
use,” the internet giant noted[17].
References
- ^
software
supply chain (thehackernews.com) - ^
said
(security.googleblog.com) - ^
emerged
(thehackernews.com) - ^
lucrative
(thehackernews.com) - ^
attack
vector (thehackernews.com) - ^
SolarWinds
(thehackernews.com) - ^
Log4Shell
(thehackernews.com) - ^
SLSA
(thehackernews.com) - ^
Security
Scorecards (thehackernews.com) - ^
identifies
(securityscorecards.dev) - ^
introduced
(thehackernews.com) - ^
Sigstore
(www.sigstore.dev) - ^
Open Source Vulnerabilities
(osv.dev) - ^
OSV
(opensource.googleblog.com) - ^
Grype
(github.com) - ^
Trivy
(github.com) - ^
noted
(github.com)
Read more https://thehackernews.com/2022/10/google-launches-guac-open-source.html