GUAC 0.1 Beta: Google’s Breakthrough Framework for Secure Software Supply Chains

Google

Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.

To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.

GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.

“Graph for Understanding Artifact Composition (GUAC) gives you organized and actionable insights into your software supply chain security position,” Google says in its documentation.

Google

“GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position.”

In other words, it’s designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company’s internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories.

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

With such a setup in place, the goal is to tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.

“For example, GUAC can be used to certify that a builder is compromised (e.g., via credential leakage or ingestion of malware) and then query for affected artifacts,” Google said.

“This enables the [chief information security officer] to easily create a policy to forbid use of any software from within the blast radius.”



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn