One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 7739960 |
| Date de publication | 2022-10-20 13:01:02 (vue: 2022-10-30 16:06:26) |
| Titre | Announcing GUAC, a great pairing with SLSA (and SBOM)! |
| Texte | Posted by Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team Supply chain security is at the fore of the industry's collective consciousness. We've recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity. It is against this background that Google is seeking contributors to a new open source project called GUAC (pronounced like the dip). GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata. True to Google's mission to organize and make the world's information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding. Thanks to community collaboration in groups such as OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations increasingly have ready access to: Software Bills of Materials (SBOMs) (with SPDX-SBOM-Generator, Syft, kubernetes bom tool) signed attestations about how software was built (e.g. SLSA with SLSA3 Github Actions Builder, Google Cloud Build) vulnerability databases that aggregate information across ecosystems and make vulnerabilities more discoverable and actionable (e.g. OSV.dev, Global Security Database (GSD)). These data are useful on their own, but it's difficult to combine and synthesize the information for a more comprehensive view. The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization's software assets. To help address this issue we've teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. We're excited to share the project's proof of concept, which lets you query a small dataset of software metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards. What is GUAC Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database-normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance. Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: |
| Envoyé | Oui |
| Condensat | 2022 able about access accessible across actionable actions adding address addresses administrators advise advisor advisory affected against aggregate aggregated aggregates all already anchore announcing answer application aquasec are areas artifact artifacts assembled assembles assets assistance attached attacks attestations audit availability back background bad before being between bills binaries blast bom brandon breadth bring build builder built burgeoning but called can cannot capabilities catastrophic chain chains change chat ciso citi cloud code coherent collaboration collationhaving collectionguac collective combine come community companies complex compliance component components composition comprehensive compromises concept conceptually configured connect consciousness consumers consumes consuming contributing contributions contributor contributors could create created critical current cybersecurity cyclonedx data database databases dataset democratize dependencies dependency deploy deprecated dev developer developer; developers different difficult dip discoverable disparate document documentation documents drive early easily ecosystem ecosystems efforts else end enriched enterprise entities entity even event events every everything evidence excited executive exploration exposed fidelity finds first focus folks fore formats foundation four free freely from functionality: funding gather generate generator get github given global good google graph great group groups gsd guac guide hand happen happy has have help hepworth high higher how hundreds ibm identifiers identify identities implicit important imports impossible include including increasingly industry information ingest ingested ingestion ingestionfrom insights intel intelligence interest interested internal introduced inventory involved involvedguac isaac issue its just kubecon kubernetes kusari layer lets level libraries lifecycle like log4j logical lum maintain major make makes making managed management many mapping maruseac materials may meaningful meant meets members metadata mihai millions mission model: more most need needs new news next normalizing not number occupies occurred officer one open openssf operational operators order organization organizational organizations organize osv others outcomes overall own pairing participating parts party person points poised policy portfolio posted posture power prevent proactive producers production project projects pronounced proof proprietary provenance public purdue put queries query queryagainst querying questions radius raw reach reactive read ready reason reasoning recent recently register reifying related relationship relationships relevant repo repositories repository representation representing resources return richer rise risk risky sbom sboms scale scaling scattered scorecard scorecards secure securely security security: seeking seen session severity share showcasing signed significant simple since slsa slsa3 small software some something source sources span spdx stages standard started such supply support suspicious syft synthesis” synthesize synthesizes talk task team teamed thanks them these third those thousands three to: today together tool trace transitive transparency traversing tree true trustworthy types understand understanding understands unified universally university upstream used useful users variety vendors version; view virtually vulnerabilities vulnerability wants weak week welcome what where which will within world yet you your “aggregation “technical |
| Tags | Tool Vulnerability |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.