Google continues to strengthen software supply chain security with a new tool, GUAC 0.1 Beta (Graph for Understanding Artifact Composition). It is an open API platform that integrates software security metadata from different sources, giving developers the ability to integrate their own policy tools and mechanisms.
Key features of GUAC 0.1 Beta:
- Systematized security information: GUAC provides organizations with valuable information about the security status of their software supply chains, helping to determine the impact of one piece of software on another.
- Security metadata federation: Using GUAC, developers can combine Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerabilities, deps.dev information, and internal company metadata to create a complete risk profile picture and visualize relationships between artifacts, packages, and repositories.
- Defense against supply chain attacks: The purpose of GUAC is to counter attacks against software supply chains. The tool helps create remediation plans and respond quickly to incidents by providing CISOs with easy policy setting to prevent the use of vulnerable artifacts within the infection radius.
Application of GUAC in practice:
GUAC can be used to confirm that a collector has been compromised, detect credential leaks, or be infected with malware. The integration of this tool allows the CISO to easily identify and prohibit the use of vulnerable software within the system, notes NIXsolutions.
With GUAC 0.1 Beta, Google is once again demonstrating its focus on software supply chain security, providing developers with an effective tool to protect and enhance the security of their software products.