The developers of GUAC, a tool for finding vulnerabilities in enterprise software, today announced that they have donated the project to the OpenSSF consortium.

GUAC was released in 2022 by Google LLC, cybersecurity startup Kusari Inc., Citibank NA and Purdue University. OpenSSF, the consortium to which the project has been donated, launched two years earlier under the wing of The Linux Foundation. It maintains more than a dozen open-source cybersecurity tools focused on tasks such as finding code vulnerabilities and assessing their severity.

Before companies adopt a new piece of software, they have to check whether the software is secure. In many cases, the data necessary to carry out the evaluation is readily available from the application’s developer and third-party sources. But thoroughly reviewing that data to draw a correct conclusion can be time-consuming to the point of being impractical.

GUAC, officially Graph for Understanding Artifact Composition, is designed to ease the task. It allows software teams to aggregate all the available cybersecurity data about an application in a centralized repository. From there, developers can run queries to quickly find potential vulnerabilities.

One of the sources from which GUAC collects application security data is the application’s SBOM, or software bill of materials. That’s a document in which developers list all the open-source components a program includes and the tools that were used to create it. SBOMs ease tasks such as determining whether a piece of software may contain an open-source module with a known vulnerability.

GUAC can also ingest so-called in-toto attestations. Those are files that have a similar function as a SBOM, but provide a more detailed overview of the application they describe. An in-to attestation includes information about every step of the development process through which a piece of software was created.

Such documents also contain a cryptographic signature. That’s a kind of virtual seal developers place on a file before releasing it. By checking the seal, a company can determine if the file to which it’s attached may have been tampered with by hackers. 

GUAC works with Google’s SLSA framework as well. Released in 2021, SLSA helps organizations check the security of the build system that was used to create an application. A build system is the tool responsible for turning developers’ raw code files into a functioning program.

Cybersecurity records from GitHub, developer laptops and file storage repositories hosted in the major public clouds can be aggregated in GUAC. It also works with more specialized data sources such as deps.dev, a Google-run service that provides technical information about open-source projects.

Once GUAC collates the available cybersecurity data about an application, software teams can use a built-in query feature to search for vulnerabilities. Users also have access to a data visualization dashboard. It makes it easier to check the reliability of the external software components on which a program relies to work.

According to GUAC’s developers, enterprises can use the platform to scan an open-source application for known vulnerabilities before installing it. It also spots related issues, such cases where a program lacks a SBOM describing what components it includes. It likewise identifies software components that weren’t downloaded from a secure repository.

Managing application updates is another task that the platform promises to ease. Enterprise workloads often incorporate multiple open-source modules. Before upgrading a module to the latest version, developers can use GUAC to check that version for potential security weak points.

“With GUAC, users can establish connections and compliance in their software catalog, unveil gaps in software supply chain data, and enable threat detection and response,” Google engineer Brandon Lum and Kusari Chief Technology Officer Michael Lieberman wrote in a blog post.

GUAC is joining the OpenSSF’s software portfolio as an incubating project. The backing of a major open-source consortium can make it easier for a software project to win the confidence of risk-averse enterprise users. Additionally, GUAC’s developers said that joining OpenSSF will unlock access to technical feedback and other resources.

Image: Unsplash