Google LLC today introduced GUAC, an open-source cybersecurity tool that companies can use to find potential vulnerabilities in their software.

Google developed GUAC in collaboration with Kusari, Purdue University and Citibank NA. Going forward, development on the project will be carried out with support from a group of technical advisory members. The group includes employees from Intel Corp., IBM Corp., Shopify Inc. and more than a half-dozen other tech companies.

Before an organization can deploy a new software product, it must check that the product is secure. The process of determining whether a software product meets cybersecurity requirements involves reviewing several types of technical data. Often, that technical data is scattered across multiple systems.

The fact that the data is scattered across multiple systems creates complexity, according to Google. It makes it more difficult for companies to gather all the technical details they require to assess whether a software product is secure. As a result, cybersecurity evaluations can take a significant amount of time and effort.

“To understand something complex like the blast radius of a vulnerability, one needs to trace the relationship between a component and everything else in the portfolio — a task that could span thousands of metadata documents across hundreds of sources,” engineers from Google’s open source security team detailed in a blog post today. “In the open source ecosystem, the number of documents could reach into the millions.”

Google’s new GUAC tool is designed to make the task less complicated. According to Google, the tool can automatically aggregate cybersecurity data about a software product from a variety of different sources. GUAC then organizes the data into a form that developers can easily review to determine whether a software product is secure.

One type of cybersecurity data that GUAC can collect is SBOM information. A SBOM, or software bill of materials, a list of the components that comprise an application and the tools which were used to develop it. A SBOM can contain potentially valuable cybersecurity information, such as whether an application contains an open-source component with a known vulnerability.

GUAC is capable of combining SBOM information with SLSA and OpenSSF Scorecards data. SLSA is a framework that allows cryptographic signatures to be added to software code. By checking a code file’s cryptographic signature, a company can determine whether it was downloaded from a trusted source.

OpenSSF Scorecards, in turn, is a cybersecurity tool developed by the Open Source Security Foundation. The tool can scan an open-source project’s code to identify potential cybersecurity issues. It can, for example, identify if a project contains known vulnerabilities.

Using Google’s new GUAC tool, a company can aggregate OpenSSF Scorecards, OpenSSF and SBOM information about an application into a single environment. The tool also organizes the information for easier analysis. Once processing is complete, developers can review the dataset to check that the application being evaluated meets cybersecurity requirements.

GUAC automatically maps out how the data points that it ingests are connected to one another. The tool can, for example, identify the code repositories from which the key components of an application are sourced. By uncovering how disparate cybersecurity-related data points are linked, GUAC makes it easier for developers to find patterns in the data.

Google envisions companies using GUAC not only to check the security of new software products they deploy, but also to perform more complex analyses. For instance, the tool could help an organization determine how many of its existing applications are affected by a newly discovered vulnerability. Moreover, developers can analyze the security of the individual code components in an application.

According to Google, GUAC is currently in the proof-of-concept phase. The search giant and the other companies backing GUAC plan to focus their development efforts on growing the number of cybersecurity data types that GUAC can process. In parallel, the companies plan to enhance the tool’s existing capabilities. 

Image: Google