Security News > 2022 > October > Google says slap some GUAC on your software supply chain

In brief Google has released a new open source software tool to help businesses better understand the risks to their software supply chains by aggregating security metadata into a queryable, standardized database.

The Graph for Understanding Artifact Composition, or "GUAC" - pronounced like the avocado dip - "Aggregates and synthesizes software security metadata at scale and makes it meaningful and actionable," Google said in a blog post.

Software supply chain attacks have been central to many major cybersecurity incidents in the past few years, like SolarWinds, Kaseya, and Log4j, and involve attackers injecting malicious code into software prior to its delivery to customers.

At RSA 2022, Microsoft's Aanchal Gupta, head of the company's Security Response Center, said supply chain attacks will continue to become more prevalent due to the tech world's reliance on third-party and open source software, which he said is "Not going to come down anytime soon."

As an aggregator of metadata, GUAC is designed to collect data from a variety of sources, including software bill-of-materials platforms, vulnerability databases, and signed attestations, like Google's own aptly named SLSA. GUAC is able to collect data, ingest it from upstream sources, collate it into a single normalized source, and allows users to query it to get a software bill of materials, provenance, build chain, project security scorecard, a list of vulnerabilities and recent lifecycle events, Google claims.

Google says GUAC could help answer proactive security questions, like which components in a software ecosystem are most often used or which dependencies may be risky, as well as operational questions like whether new software meets security policies and reactive questions like how an organization is affected by a new vulnerability.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/24/security_in_brief/