 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
So now your security team has a software bill of materials (SBOM) for its open source applications. What’s next? If you are KubeCon + CloudNativeCon EU March 19-22 in Paris, stop by the Kusari booth (#M30) to learn more about the Graph for Understanding Artifact Composition (GUAC), which puts all that SBOM data into a more readily-understandable graph data format, augmenting it with vulnerability data.
On Thursday, the Open Source Security Foundation (OpenSSF) adopted GUAC as an incubating project. Open SSF will bring many things to GUAC, including access to and feedback from SBOM and CycloneDX domain experts.
“There’s a lot of a lot of tools generating [security] data, but not a lot of things taking all this information together and like actually utilizing it,” said Michael Lieberman, Kusari co-founder and CTO, in an interview with The New Stack. “GUAC aggregates all this information into a graph database, which you can actually use for actionable insights.”
Kusari, Google and researchers from Purdue University and Citi developed GUAC, which attracted support from companies such as Yahoo, Microsoft, Red Hat, Guidewire and ClearAlpha Technologies.
Thus far the project has attracted 50 contributors, 300 community members and more than 1,100 stars on GitHub.
GUAC was truly a community effort, Lieberman said.
Security academics have long suggested dependency graphs could be useful for revealing hidden dependencies. Lieberman — who is an OpenSSF Governing Board and TAC member; as well as a CNCF Security TAG lead — saw a lot of interest from the commercial sector for a tool of this nature.
“Instead of us all building different things, we came together and started building something,” Lieberman said.
The current version is available as a beta, offering results via a standard Rest API, GraphAPI, and by command line.
GAUC provides the data to display a detailed graph that visualizes all the software in an SBOM, including first-party, third-party or open source software. The software ingests SBOMS in either the SPDX and CycloneDX formats.
It has a set of collectors to pull data from repositories such as Docker Hub. It can also take in data from local file systems, Amazon Web Services‘ S3, Google Cloud, and external package repositories like GitHub Releases.
To augment this data, GUAC pulls in and integrates vulnerability data, via APIs, from sources such as the Open Source Insights’ deps.dev and Open Source Vulnerabilities.
“We’re enriching the SBOMs with these other open source tools,” Lieberman said.
GUAC in collates this data and returns the information as a set of data nodes and relationships. These artifacts can be used to understand the gaps in software supply chain data, and pinpoint areas of weaknesses in the software stack.
You can query a graph to pinpoint the vulnerabilities within an SBOM, including transitive dependencies where one application depends on a library which in turn relies on a vulnerable element.
Beyond security, it can also highlight packages with restrictive licensing (which can cause a lawsuit).
At KubeCon, the GUAC team is looking for more input from folks who feel they don’t have enough visibility into their supply chain issues. They are looking for heretofore undiscovered use cases.
They are looking for new data sources and feedback on new features, or features that should be added.
Last month, OpenSSF posted a set of principles for securing packaging repositories, establishing a taxonomy and a tier security maturity, from one to four.
As for Kusari itself, it is building a security platform based on GUAC and other tools. The company is contemplating offering it as a service, or maybe selling a version with additional analytics.
“Your software environments are becoming more and more complicated every year. And in order to understand those complex environments, you need to have tools to help out with that. And that’s where Kusari comes in” Lieberman said.
