"Google Releases Open-Source Security Tool to Centralize SBOM Management"

Open-source security is a major theme in enterprise security. Following a surge of software supply chain attacks against vendors such as SolarWinds and Colonial Pipeline, President Biden issued an Executive Order (EO) requiring organizations to develop an accurate Software Bill of Materials (SBOM). In support of this effort, Google announced the launch of Graph for Understanding Artifact Composition (GUAC), a tool that can aggregate security metadata from multiple open-source projects and display it as part of a single graph. Users can query metadata such as SBOMs, SLSA provenance, and scorecard documents with GUAC to ensure the integrity and security of their software supply chain. GUAC provides a solution for enterprises to audit open-source software and increase transparency over the SBOMs used in other open-source solutions. The announcement comes amid a 300 percent increase in software supply chain attacks in 2021. Threat actors are actively looking for open-source vulnerabilities to exploit, particularly those as widespread as Log4j, according to software vendors. It also comes as part of Google's ongoing collaboration with OpenSSF, SLSA, SPDX, and CycloneDX to create ready access to SBOMs, signed attestations on how software was built using SLSA, SLSA3 GitHub Actions Builder, and vulnerability databases. The goal of creating a central tool to unify SBOMs from multiple open-source projects has the potential to improve open-source security in general. Visibility over this metadata is critical for enterprises managing the security of open-source software and dependencies. Open and public datasets such as OSV, first-party internal repositories, and third-party solutions such as data vendors' internal systems are all possible data sources for GUAC. GUAC imports data on artifacts, projects, resources, vulnerabilities, repositories, and developers. This article continues to discuss Google's GUAC tool and how it can help improve software supply chain security. 

VB reports "Google Releases Open-Source Security Tool to Centralize SBOM Management"