Intro to GUAC

‍

Software Supply Chain attacks are on the rise, and it’s hard to know what and where those risks are and how to protect against them.  Leveraging metadata like Software Bills of Materials ( SBOMs), SLSA attestations, and more, the Graph for Understanding Artifact Composition ( GUAC ) aims to fill in the gaps by ingesting this information and mapping out relationships between software.  When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed. 

‍

Architecture

‍

GUAC’s architecture is made up of the following components:

• GraphQL - This provides the API layer for GUAC, used for querying, ingesting, and integrating
• Backends - In order to persist the supply chain data, GUAC has support for many different database options.  There is built-in support for ArangoDB, as well as ENT ( a generic ORM in Golang), however, the architecture is designed to allow adding support for other tools in the future quite easily.
• Collectors - Once you ingest your SBOM into GUAC, there is more information that can be gathered.  Collectors are designed to take the information in GUAC and amend the graph with that information.  Things like CVE data, OSSF Scorecard information, etc.
• CLI - In order to interact with GUAC as a user or through scripting, there is a CLI that allows you to perform actions such as ingesting, querying, or marking a dependency as bad.

‍

All of these components, excluding the CLI, can be run as docker containers, and are available to be deployed through either docker-compose or helm.  

‍

Guidewire use case and interest

(The following is a discussion with Anoop Gopalakrishnan, Vice President Of Engineering at Guidewire Software)

Guidewire is the leading provider of insurance software products in the Property and Casualty domain, to deliver unparalleled service to their consumers in their hour of need and do it effectively and efficiently. Guidewire Cloud Platform (GWCP) is a platform as a service (PaaS) built on Kubernetes that allows Guidewire customers to run their insurance suite applications on the cloud. GWCP provides a number of benefits for customers including: faster time to market, scalability and elasticity, high availability, simplified operations, resource efficiency, and growing ecosystem integration. Apart from these, a secure software supply chain is of paramount importance when building a platform like Guidewire Cloud Platform (GWCP). As a platform as a service, it is designed to host Guidewire customers' insurance suite applications on the cloud, and its security must be taken seriously to ensure that the platform is reliable and trusted. We realized as we increased our market share and onboarded more customers onto our platform, we needed a more robust mechanism to provide evidence of security to our own compliance and auditing teams, which we are certain would be of immense value to our customers as well. Our current priorities are the following:

1. How can we trace a running application down to all the steps that led up to its deployment in production?
2. How do we demonstrate the contents of a running component of a platform including the commits as well as the third-party libraries it uses?
3. How can we trust the trace graph?
4. How can we empower our teams to enforce policies that can act as a gate to deny deployments to the platform based on specific libraries or their versions?
5. How can we visualize the various trends across projects/teams and provide an analytic center for encouraging better practices?
6. How can we keep ourselves and our customers safe from man-in-the-middle attacks, supply chain poisoning, and software counterfeiting

‍

Why GUAC?

We started off initially to build our own solution inspired by the various secure software supply chain papers as well as research done in the area, and our aim to be as highly SLSA compliant as possible. GUAC came along as open-source software at the right time, helping us pivot away from building a bespoke solution, and involve ourselves with the best minds in this space who are behind the project. The most value we see with GUAC is its flexibility and plugin architecture helping the users achieve SLSA compliance at different levels. 

‍

By virtue of being a platform as a service, we are generating a lot of secure immutable artifacts like SBOMs, Attestations, Provenance, etc from different parts of the platform. We extend GUAC to our custom solution that is helping us to ingest, collate and present the information in a very consumable format for our internal teams as customers . To us, the biggest value that GUAC has been producing is its open nature and the community that is behind it from Google to Kusari and others. We are sure that as the industry progresses, the threats would become more complex, and relying on a tool that is backed by people with many years of experience in the area would make things easier for Guidewire to consume at the same time, we have had a very receptive Kusari team that are willing to take our suggestions.

Trends in the industry?

As mentioned earlier, with the advent of more sophisticated technologies that can help engineer attacks, every software vendor both proprietary and open source would need to maintain vigilance. A few areas I think would garner more mind share as we progress are the following:

1. Use of AI/ML to detect, mitigate and evolve to target new threats and thereby freeing up precious resources to focus on more strategic threats
2. Increased focus on bringing transparency to the entire software supply chain. I believe there would be a greater emphasis on bills of materials of various kinds like Hardware BOMs/Environment BOMs etc,  while Software BOMs still take up the majority of the mindshare.
3. More organizational collaboration and focus on efficient data and transparency of the security process and a greater shift left tendency.
4. A more software lifecycle-oriented approach to the detection of privacy concerns in code using static analysis. 
5. More awareness and demand for provenance and attestations from vendors of software across the board

‍

How would you envision/plan to integrate and build around it?

Our approach is to be pragmatic and at the same time involve ourselves with standards that would help benefit many companies in these areas. We hope to continue our research with our teams on these areas and bring value to our customers and the Guidewire community at large. At the same time, I hope to collaborate with like-minded institutions to build open source frameworks with the same goal for a wider audience and impact.

Takeaway

‍

Guidewire is just one of many companies leveraging GUAC to enhance their understanding of software supply chains. They've found real value in its flexibility, community support, and compliance features. With use cases from security to compliance, GUAC has provided significant benefits for Guidewire, allowing them to navigate the ever-increasing complexities of software supply chain attacks with confidence.

‍

So, where do you stand? What are your needs around software supply chain security and visibility? We're interested in hearing about your challenges and how you're working to better understand and secure your software supply chains. The future of software security relies on ongoing conversations and collaborations in the community.

‍