A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance. The recent report from Sonatype: State of the Software Supply Chain has shown that supply chain attacks are on the rise (742% average annual increase in the past 3 years). Along with the fact that 6 out of the 7 project vulnerabilities come from transitive dependencies, the industry is in desperate need of having a clear, holistic understanding of the software supply chain.

To this end, Kusari has been collaborating with enterprises like Google and Citi, along with Purdue University, on a new open source project known as GUAC (Graph for Understanding Artifact Composition). GUAC was initially conceived and architected by members of Kusari, Google and Purdue, all of whom have been facing this issue in both the open source and vendor spaces. With so much metadata about our software out there like SBOMs, SLSA attestations, and CVEs it can be difficult to know where to even get started in securing an organization’s supply chain.

GUAC is built to satisfy the need to correlate all this metadata about software in an easy to consume manner. GUAC is a knowledge graph that ingests data from various sources to create a more complete view of the current state of the software supply chain within an organization as well as the community at large. Using this information, we can create policies and continuously monitor for changes while providing the insight needed to make the critical decisions during a software supply chain incident.

Strong Tailwind

Due to the rise of software supply chain attacks, there has been a push from the US and other governments to address this issue. Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, the government memo that defined the actions and timeline for the various agencies, and finally the recent Bill for Securing Open Source Software Act of 2022, there has been a strong signal for organizations and the open source community to start generating secure and trustworthy artifacts whose provenance is known. Open source communities have rallied together and have started to address this through build frameworks like SLSA, vulnerability databases like OSV, through the generation of software bill of materials (SBOMs), and through secure builders like FRSCA.

There has been a focus on attesting to secure build, generating metadata like SBOMs, and signing it all in order to protect our supply chains, but we are missing tools to leverage that information. GUAC aims to fill this gap by providing a way to consume this metadata allowing people to make proactive, preventative and reactive decisions for their software supply chain.

You can’t start securing your supply chain if you don’t know what’s in it

Kusari was started with the goal of making software supply chain security easy while not burdening engineers, legal, managers, and other staff. We are excited to help provide the tools the community needs to answer the hard questions they have about their supply chain. While GUAC is still in its early stages, we see it as being the tool that answers both simple questions like “Do I have an SBOM for this package?” to more complicated questions like “What container images have I ingested that use a vulnerable version of log4j anywhere in its transitive dependencies?” We can’t start fixing the hard problems until we first figure out what we’re dealing with.

GUAC was designed to continuously collect software supply chain metadata like attestations and SBOMs, and vulnerability streams like CVEs and VEX, from various sources. It then integrates that information into a queryable graph that maintains relationships like packages and their dependencies. This makes it simple to both answer the hard questions and to know when there isn’t enough information out there.

Addressing the Pain Points

Kusari’s focus has been to provide the tools to the organization that are easy to integrate and remove the pain points of all those involved in the consumption and delivery of software. The major pain points we have seen come up have been time and time again are:

• Engineers don’t know if they are downloading something with known vulnerabilities until it’s time consuming to fix.
• The CISO doesn’t know what resources are affected by a supply chain attack or newly discovered vulnerability.
• Compliance officers don’t know whether the data they are using to ensure compliance is complete and accurate.

Currently, organizations are relying on a patchwork of tools and processes to address the problems, few of which integrate well together. Whether its static & dynamic analysis on code or artifacts, CVE detection, or manual approval gates for deployments through the release process, it adds a lot of error prone work. This adds unnecessary complexity and uncertainty to how organizations use and produce software.

GUAC will address these pain points by allowing for quick discovery of vulnerable dependencies and what packages are affected. It will help identify suspicious software with a lack of trustworthy metadata like SLSA attestations. Most importantly, it will provide visibility into a space that is plagued with unknown unknowns.

As GUAC and the tooling around it evolves, people will be able to create policies and automation that restrict the ingestion and movement of vulnerable artifacts in the SDLC. This not only removes the concern of running in production but also greatly reduces the MTTR (mean time to recovery.)

Stay Tuned and Get Involved

GUAC is still in the early stages of development and we have many plans for it going forward. Stay tuned but also get involved if you are interested to see where this project goes. We would love to collaborate with various individuals and design partners to progress GUAC in a direction that will remove the dreaded uncertainty that plagues the supply chain security space.

Kusari’s Michael Lieberman and Google’s Mihai Maruseac will be presenting GUAC at the upcoming Kubecon North American 2022 in Detroit. Be sure to tune in either virtually or in person to see GUAC in action and the benefits that it brings. Be sure to also check out the companion article posted by Google on GUAC for a more in depth look at the various components and how it all comes together!

‍