Security News > 2022 > October > Google Launches GUAC Open Source Project to Secure Software Supply Chain

Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.

"GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News.

Software supply chain has emerged a lucrative attack vector for threat actors, wherein exploiting just one weakness - as seen in the case of SolarWinds and Log4Shell - opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, and take control of systems belonging to downstream customers.

GUAC is the company's latest effort to bolster the health of the supply chain.

Put differently, the idea is to connect the different dots between a project and its developer, a vulnerability and the corresponding software version, and the artifact and the source repository it belongs to.

"[GUAC] aims to satisfy the use case of being a monitor for public supply chain and security documents as well as for internal use by organizations to query information about artifacts that they use," the internet giant noted.

News URL

https://thehackernews.com/2022/10/google-launches-guac-open-source.html