Applying software bill of materials data to cloud-native applications remains an unsolved problem for the tech industry, but an open source group will soon roll out the first deployable version of a graph database project that proponents believe will help.
The project, the Graph for Understanding Artifact Composition (GUAC), was developed by a group of engineers from Google, Kusari, Purdue University and Citi. Reps from other tech vendors such as Red Hat and Snyk were also listed among attendees at recent GUAC community meetings. According to a public roadmap, it's now due for a version 0.1 beta release by March 31.
The GUAC beta will provide a runnable service where users can ingest documents from software bills of material (SBOMs) and Supply-chain Levels for Software Artifacts (SLSA) and query that information, the roadmap page states.
So far, software supply chain security projects such as Sigstore and SLSA have focused on generating records for software builders, according to a presentation at Cloud Native SecurityCon in February by Ian Lewis, a developer advocate at Google Cloud.
GUAC will provide a way for consumers to use that information to mitigate security vulnerabilities, he said.
"We haven't totally solved the problem of getting information about the artifacts that we're consuming ... and how they relate to each other," Lewis said during the presentation. "GUAC ... is used to ingest metadata and information about artifacts, and then allows for querying, understanding and visualizing the relationships between those different types of artifacts."
GUAC stores metadata about the provenance of software artifacts in a Neo4j graph database that's accessed via GraphQL. Such knowledge graph systems are gaining popularity among IT management tools as cloud-native applications grow more distributed, ephemeral and dense, because they can efficiently map complex relationships between data sets.
The GUAC project applies these features of a knowledge graph to a similarly thorny problem facing IT organizations that want to use SBOM information in cloud-native IT environments. In Kubernetes deployments, for example, application components can be short-lived, and the relationships between them can change quickly, making them difficult to track using static SBOM file formats and traditional databases.
The GUAC project first emerged in discussions in the Cloud Native Computing Foundation (CNCF) Security Technical Advisory Group in July 2022 in the wake of President Joe Biden's Executive Order 14028. The executive order included SBOMs as part of a new baseline of software security standards for the federal government. But initial guidance on how to use SBOMs from government agencies was limited to on-premises software deployments, while cloud-native SBOM instructions were put off pending further industry development.
A push for comprehensive cloud-native security
One member of the project's technical advisory committee said the beta release matches what he'd envisioned for a universal asset graph in a seminal 2020 blog post that informed GUAC's design.
"I have quibbles with some of the details, but I think they've sort of nailed the thrust of it, which was essentially around the scope of the data that needed to be included," said Jacques Chester, senior staff software developer at e-commerce service provider Shopify, who noted that he was speaking as an individual rather than representing the company.
The next step for GUAC will be to flesh out how it maps the relationships between those assets in more detail, including a view of how those relationships have changed over time, Chester said.
Ian LewisDeveloper advocate, Google Cloud
"Conventional database schemata tend to lend themselves to unintentionally destroying historical information," he said. "[If] you can't reconstruct your knowledge of the world at [a given] point in time ... you can't know for certain whether you made a decision that was sensible."
Allowing for this historical analysis is in keeping with GUAC's mission to provide a system that's useful for both proactive and reactive security, as described in the Cloud Native SecurityCon presentation by Lewis.
"GUAC can apply to a lot of different aspects of discoverability and auditing across the lifecycle of a vulnerability, from the reactive, [determining] how you're affected by something that's actually happened ... [to] the proactive, trying to understand the wider security implications of different artifacts and which artifacts need more attention," Lewis said.
This kind of comprehensive approach could ultimately make cloud-native security more effective than traditional security, said Melinda Marks, an analyst at TechTarget's Enterprise Strategy Group.
"There's always going to be vulnerabilities at runtime," Marks said. "When those things happen, you need to be able to act quickly, and if you have that information on which developer did what, it makes it a lot more efficient than if you're only monitoring the runtime environment."
SBOM database as public good
Software supply chain security products that encompass cloud-native apps are available from vendors such as Rezilion, but Chester said he believes such systems should be offered as a public good by vendor-neutral groups such as the Open Source Security Foundation (OpenSSF).
OpenSSF already hosts a public instance of the Sigstore software signing project, and given a general lack of skilled experts in cutting-edge graph databases, it might have to do similar for GUAC in the future, Chester said.
"Most of the world's knowledge graph experts are working for one of the [tech] giants," he said. "You need a custodian in whom people can place trust that they won't bend it to proprietary advantage."
So far, the project is not governed by any specific open source foundation, and with Google at its helm, it's still an open question whether GUAC will follow the path of Kubernetes, which formed the basis for the CNCF, or of Knative and Istio, which took years for Google to donate to CNCF.
Marks said she believes GUAC will go the Kubernetes route.
"It's in their interest to say, 'This is what we're using. We're sharing it, we want you to build on it, we want more vendors involved,'" she said. "It's smart for them to take a leading stance on this."
Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.