Google on Thursday announced that it’s seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.
“GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata,” Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News.
“GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”
Software supply chain has emerged a lucrative attack vector for threat actors, wherein exploiting just one weakness — as seen in the case of SolarWinds and Log4Shell — opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, and take control of systems belonging to downstream customers.
images from Hacker News