Google’s GUAC Open Source Tool Centralizes Software Security Metadata
House › Utility Safety
Google’s GUAC Open Supply Software Centralizes Software program Safety Metadata
By Ionut Arghire on October 20, 2022
Tweet
Google at present launched Graph for Understanding Artifact Composition (GUAC), an open supply software for centralizing construct, safety, and dependency metadata.
Developed in collaboration with Kusari, Purdue College, and Citi, the brand new challenge is supposed to assist organizations higher perceive software program provide chains.
GUAC aggregates metadata from completely different sources, together with provide chain ranges for software program artifacts (SLSA) provenance, software program payments of supplies (SBOM), and vulnerabilities, to offer a extra complete view over them.
“Graph for Understanding Artifact Composition (GUAC) aggregates software program safety metadata right into a high-fidelity graph database—normalizing entity identities and mapping commonplace relationships between them,” Google says.
By querying this graph, organizations can enhance their audit processes and threat administration, can higher meet coverage necessities, and even present developer help.
GUAC, the web big explains, has 4 areas of performance, together with metadata assortment (from public, first-person, and third-party sources), ingestion of information (on artifacts, assets, vulnerabilities, and extra), information meeting right into a coherent graph, and person question for metadata hooked up to entities inside the graph.
By aggregating software program safety metadata and making it significant and actionable, GUAC can assist establish dangers, uncover vital libraries inside open supply software program, and collect info on software program dependencies, to enhance provide chain safety.
The open supply challenge is in its early phases, with a proof of idea (PoC) now out there on GitHub, providing assist for the ingestion of SLSA, SBOM, and Scorecard paperwork and for easy queries for software program metadata.
“The following efforts will give attention to scaling the present capabilities and including new doc varieties for ingestion. We welcome assist and contributions of code or documentation,” Google says.
The web big has created a bunch of ‘Technical Advisory Members’ that features SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and others, to assist increase the challenge in direction of consuming information from many various sources and codecs.
Associated: Google Launches Bug Bounty Program for Open Supply Tasks
Associated: Lecturers Devise Open Supply Software For Looking Node.js Safety Flaws
Associated: Google Open Sources ‘Paranoid’ Crypto Testing Library
Get the Every day Briefing
- Most Current
- Most Learn
- Google’s GUAC Open Supply Software Centralizes Software program Safety Metadata
- Password Report: Honeypot Information Exhibits Bot Assault Traits In opposition to RDP, SSH
- SIM Swappers Sentenced to Jail for Hacking Accounts, Stealing Cryptocurrency
- Anonos Raises $50 Million for Information Privateness Platform
- New TSA Directive Goals to Additional Improve Railway Cybersecurity
- Australian Well being Insurer Medibank Admits Buyer Information Stolen in Ransomware Assault
- Microsoft Confirms Information Breach, However Claims Numbers Are Exaggerated
- New PowerShell Backdoor Poses as A part of Home windows Replace Course of
- AI is Key to Tackling Cash Mules and Disrupting Fraud: Trade Group
- Microsoft Patches Vulnerability Permitting Full Entry to Azure Service Cloth Clusters
On the lookout for Malware in All of the Flawed Locations?
First Step For The Web’s subsequent 25 years: Including Safety to the DNS
Tattle Story: What Your Pc Says About You
Be in a Place to Act Via Cyber Situational Consciousness
Report Exhibits Closely Regulated Industries Letting Social Networking Apps Run Rampant
2010, A Nice 12 months To Be a Scammer.
Do not Let DNS be Your Single Level of Failure
How one can Determine Malware in a Blink
Defining and Debating Cyber Warfare
The 5 A’s that Make Cybercrime so Enticing
How one can Defend In opposition to DDoS Assaults
Safety Budgets Not in Line with Threats
Anycast – Three Causes Why Your DNS Community Ought to Use It
The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering Organizations
Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise
