A new open source initiative Google announced this week could move the needle forward on industrywide efforts to address software supply chain security issues.
The project is called GUAC, or Graph for Understanding Artifact Composition. Once available, GUAC will give developers, security teams, auditors, and other enterprise stakeholders a central source for information about the security, provenance, and overall trustworthiness of the individual components in their applications and codebases.
GUAC will collect and synthesize all the information needed for such analysis — such as software bill of materials, known vulnerability information and signed attestations on how a particular software might have been built — from multiple sources. Users will be able to query GUAC for information on the most-used critical components in their software, associated dependencies and any potential weaknesses, and vulnerabilities in them.
According to Google, GUAC will also let software and security teams determine if an application they are about to deploy meets organizational polices, and if all binaries in production can be tracked back to a secure repository.
Multiple Use Cases
In addition to being useful from a proactive security and operational security standpoint, GUAC will also help organizations respond more effectively to identified threats, Google said. For instance, when a new vulnerability is disclosed, organizations will be able to use GUAC to determine which parts of their software inventory might be affected. Similarly, if an open source component has been deprecated, GUAC can help development and security teams quickly assess the impact on their environment.
Brandon Lum, senior software engineer on Google’s Open Source Security team, says organizations will be able to deploy GUAC internally or use it as an external source for vetting their software metadata.
“GUAC will pull from a variety of sources, including GitHub, Sigstore, and open source package managers,” Lum says. “If run in an organization, GUAC can be configured to pull from internal sources and will be able to include organization or vendor specific assertions or certifications.”
Many of these are capabilities that mainly large organizations have begun implementing in response to growing concerns over vulnerabilities and risks in the software supply chain. Attacks on companies like SolarWinds and Codecov showed how threat actors could compromise organizations on a mass scale by planting malware in software updates from trusted vendors.
More recently, threat actors have begun planting malicious code in widely used public code repositories with the goal of tricking development teams and automated build tools to download the malware into their organizations.
The trend is driving organizations to pay closer attention to the security of their software components. It is heightening focus on practices such as generating or requiring a software bill of materials (SBOM) for their software and to using security frameworks such as Supply chain Levels for Software Artifacts (SLSA) to protect against tampering and vulnerable components. An executive order signed by President Biden in May 2021 explicitly requires all federal civilian executive branch agencies to maintain SBOMs for software they develop internally and requires them for any software they procure from an outside vendor or contractor.
Much of the information required for organizations to vet their software supply chain already exists in various forms. GUAC will bring all the data together in a standard form and democratize its availability, according to Google.
Anyone will be able to use GUAC, Lum says. “GUAC is designed to run [both] as a public service or internally in an organization,” he says. “For example, an organization can run GUAC internally for their proprietary software and query a public instance for vendor or open source software.”
Nigel Houghton, director of marketplace and ecosystem development at ThreatQuotient, says there are several processes and tools associated with software supply chain security, such as those for generating SBOMs or for checksums and signatures that can be used to validate a particular piece of software.
“There are many such sources of information but no real way to consolidate that information into one place,” Houghton says. “[GUAC] is an attempt to do that and is desperately needed in the industry.”
Houghton sees GUAC as benefiting both consumers and producers of software by enabling greater visibility into the security of the software supply chain.
“It gives vendors the chance to show the security of their software supply chain and also gives them the visibility into their own supply chain security that they can better manage it,” he says. “But, ultimately, the consumer benefits the most as it means they can also validate the supply chain for the software they are purchasing or using.”
GUAC is a good start to solving a hard problem, says Scott Gerlach, co-founder and CSO at API security testing vendor StackHawk. The trick will be to get open source developers to participate in this kind of program.
“What is their incentive?” Gerlach asks. “Most often, these are people who work on projects out of a passion for problem-solving and deep curiosity. Incentivizing OSS devs to participate will be the key to GUAC’s success.”
That’s a viewpoint that Houghton holds as well. “The biggest challenge here is going to be adoption by the software industry as a whole,” he says. But since GUAC is a project that comes under the OpenSSF, it should have a good chance of adoption at least for Linux-based projects, he says.
Mike Parkin, senior technical engineer at Vulcan Cyber, sees other issues. “Consolidating and normalizing the vast amount of data they plan to ingest will be the first challenge,” he says. The other is finding a way to visualize the data in a manner that’s both useful and usable.
“If they can accomplish that, then getting people to accept it and use it will be considerably easier,” he says.
Google has developed a prototype version of GUAC in collaboration with researchers at software supply chain security start-up Kusari, Citi, and Purdue University. The company is currently seeking contributors to the effort.