Image Credit: Getty Images

>>Don’t miss our special issue: How Data Privacy Is Transforming Marketing.<<

Open-source security has emerged as a key theme in enterprise security this year. Following a wave of software supply chain attacks, targeting vendors like SolarWinds and Colonial Pipeline, President Biden released an Executive Order (EO) calling on organizations to create an accurate software bill of materials (SBOM). 

To support this effort, today, Google announced the launch of a new open-source project called Graph for Understanding Artifact Composition (GUAC), a tool that can aggregate security metadata from multiple open-source projects, and display it as part of a single graph.  

With GUAC, users can query metadata including SBOMs, SLSA provenance, and scorecard documents to verify the integrity and security of their software supply chain. 

For enterprises, GUAC provides a solution to audit open-source software, and to increase transparency over the SBOMs used as part of other open-source solutions.  

Auditing the software supply chain 

The announcement comes amid an uptick in software supply chain attacks, which increased by 300% in 2021. Software vendors understand threat actors are actively looking for open-source vulnerabilities to exploit, particularly those as prevalent as Log4j. 

It also comes amid ongoing collaboration between Google and groups including OpenSSF, SLSA, SPDX, and CycloneDX to create ready access to SBOMs, signed attestations on how software was built via SLSA, SLSA3 GitHub Actions Builder and vulnerability databases. 

Aiming to build a central tool to unify SBOMs from multiple open-source projects, has the potential to enhance open-source security as a whole. 

“The EO and OMB [Office of Management and Budget] requirements have driven a huge surge in the creation of SBOMs and other software metadata,” said Brandon Lum, senior Google Open Source Security Team software engineer. “However, now that we have a sea of metadata documents, what do we do with them? GUAC provides a way to make sense of the chaos of software metadata.” 

Visibility over this metadata has a critical role to play in enabling enterprises to manage the security of open-source software and dependencies. 

“Effectiveness of policies and risk management is dependent on the quality of software metadata available. GUAC provides deeper insight into an organization’s software catalog, which will provide better visibility, automation, and management of risk,” Lum said. 

Data sources GUAC can take data from include open and public datasets like OSV, first-party internal repositories, and third-party solutions, such as data vendors’ internal systems. More specifically, GUAC imports data on artifacts, projects, resources, vulnerabilities, repositories, and developers. 

What’s its role in open-source security? 

For CISOs, GUAC provides a solution to identify weak components in the software supply chain. 

As the announcement blog post highlights, users will be able to identify the most used critical components in the software supply chain, weak points, risky dependencies, whether binaries can be traced to a securely managed repository, and more, and ultimately, find ways to prevent compromises.