Provide chain safety is on the fore of the business’s collective consciousness. We’ve not too long ago seen a big rise in software program provide chain assaults, a Log4j vulnerability of catastrophic severity and breadth, and even an Govt Order on Cybersecurity.
It’s in opposition to this background that Google is in search of contributors to a brand new open supply mission referred to as GUAC (pronounced just like the dip). GUAC, or Graph for Understanding Artifact Composition, is within the early levels but is poised to vary how the business understands software program provide chains. GUAC addresses a necessity created by the burgeoning efforts throughout the ecosystem to generate software program construct, safety, and dependency metadata. True to Google’s mission to prepare and make the world’s info universally accessible and helpful, GUAC is supposed to democratize the supply of this safety info by making it freely accessible and helpful for each group, not simply these with enterprise-scale safety and IT funding.
These information are helpful on their very own, however it’s troublesome to mix and synthesize the knowledge for a extra complete view. The paperwork are scattered throughout totally different databases and producers, are connected to totally different ecosystem entities, and can’t be simply aggregated to reply higher-level questions on a company’s software program belongings.
To assist tackle this difficulty we’ve teamed up with Kusari, Purdue College, and Citi to create GUAC, a free device to carry collectively many various sources of software program safety metadata. We’re excited to share the mission’s proof of idea, which helps you to question a small dataset of software program metadata together with SLSA provenance, SBOMs, and OpenSSF Scorecards.
Graph for Understanding Artifact Composition (GUAC) aggregates software program safety metadata right into a excessive constancy graph database—normalizing entity identities and mapping commonplace relationships between them. Querying this graph can drive higher-level organizational outcomes similar to audit, coverage, threat administration, and even developer help.
Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software program provide chain transparency logical mannequin:
GUAC has 4 main areas of performance:
GUAC could be configured to hook up with a wide range of sources of software program safety metadata. Some sources could also be open and public (e.g., OSV); some could also be first-party (e.g., a company’s inside repositories); some could also be proprietary third-party (e.g., from information distributors).
From its upstream information sources GUAC imports information on artifacts, initiatives, assets, vulnerabilities, repositories, and even builders.
Having ingested uncooked metadata from disparate upstream sources, GUAC assembles it right into a coherent graph by normalizing entity identifiers, traversing the dependency tree, and reifying implicit entity relationships, e.g., mission → developer; vulnerability → software program model; artifact → supply repo, and so forth.
In opposition to an assembled graph one could question for metadata connected to, or associated to, entities throughout the graph. Querying for a given artifact could return its SBOM, provenance, construct chain, mission scorecard, vulnerabilities, and up to date lifecycle occasions — and people for its transitive dependencies.
A CISO or compliance officer in a company needs to have the ability to motive concerning the threat of their group. An open supply group just like the Open Supply Safety Basis needs to determine crucial libraries to take care of and safe. Builders want richer and extra reliable intelligence concerning the dependencies of their initiatives.
The excellent news is, more and more one finds the upstream provide chain already enriched with attestations and metadata to energy higher-level reasoning and insights. The dangerous information is that it’s troublesome or unattainable in the present day for software program customers, operators, and directors to collect this information right into a unified view throughout their software program belongings.
To know one thing complicated just like the blast radius of a vulnerability, one must hint the connection between a element and the whole lot else within the portfolio—a job that might span hundreds of metadata paperwork throughout a whole bunch of sources. Within the open supply ecosystem, the variety of paperwork might attain into the thousands and thousands.
GUAC aggregates and synthesizes software program safety metadata at scale and makes it significant and actionable. With GUAC in hand, we can reply questions at three vital levels of software program provide chain safety:
- Proactive, e.g.,
- What are probably the most used crucial elements in my software program provide chain ecosystem?
- The place are the weak factors in my general safety posture?
- How do I stop provide chain compromises earlier than they occur?
- The place am I uncovered to dangerous dependencies?
- Operational, e.g.,
- Is there proof that the appliance I’m about to deploy meets group coverage?
- Do all binaries in manufacturing hint again to a securely managed repository?
- Reactive, e.g.,
- Which components of my group’s stock is affected by new vulnerability X?
- A suspicious mission lifecycle occasion has occurred. The place is threat launched to my group?
- An open supply mission is being deprecated. How am I affected?
- Proactive, e.g.,
GUAC is an Open Supply mission on Github, and we’re excited to get extra of us concerned and contributing (learn the contributor information to get began)! The mission remains to be in its early levels, with a proof of idea that may ingest SLSA, SBOM, and Scorecard paperwork and assist easy queries and exploration of software program metadata. The subsequent efforts will concentrate on scaling the present capabilities and including new doc varieties for ingestion. We welcome assist and contributions of code or documentation.
For the reason that mission will likely be consuming paperwork from many various sources and codecs, we have now put collectively a gaggle of “Technical Advisory Members” to assist advise the mission. These members embody illustration from corporations and teams similar to SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and many extra. Should you’re concerned about taking part as a contributor or advisor representing finish customers’ wants—or the sources of metadata GUAC consumes—you’ll be able to register your curiosity within the related GitHub difficulty.
The GUAC staff will likely be showcasing the mission at Kubecon NA 2022 subsequent week. Come by our session in case you’ll be there and have a chat with us—we’d be glad to speak in individual or just about!