It looks like you're new here. If you want to get involved, click one of these buttons!
Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.
"GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News.
"GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding."
CyberSecurity
Software supply chain has emerged a lucrative attack vector for threat actors, wherein exploiting just one weakness -- as seen in the case of SolarWinds and Log4Shell -- opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, and take control of systems belonging to downstream customers.
Google, last year, released a framework called SLSA (short for Supply chain Levels for Software Artifacts) that aims to ensure the integrity of software packages and prevent unauthorized modifications.
It has also launched an updated version of Security Scorecards, which identifies the risk third-party dependencies can introduce to a project, allowing developers to make informed decisions about accepting vulnerable code or considering other alternatives.
"[GUAC] aims to satisfy the use case of being a monitor for public supply chain and security documents as well as for internal use by organizations to query information about artifacts that they use," the internet giant noted.
Source:
https://thehackernews.com/2022/10/google-launches-guac-open-source.html