August 2, 2023
Software Supply Chain attacks are on the rise, and it’s hard to know what and where those risks are and how to protect against them. Leveraging metadata like Software Bills of Materials ( SBOMs), SLSA attestations, and more, the Graph for Understanding Artifact Composition ( GUAC ) aims to fill in the gaps by ingesting this information and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.
GUAC’s architecture is made up of the following components:
All of these components, excluding the CLI, can be run as docker containers, and are available to be deployed through either docker-compose or helm.
(The following is a discussion with Anoop Gopalakrishnan, Vice President Of Engineering at Guidewire Software)
Guidewire is the leading provider of insurance software products in the Property and Casualty domain, to deliver unparalleled service to their consumers in their hour of need and do it effectively and efficiently. Guidewire Cloud Platform (GWCP) is a platform as a service (PaaS) built on Kubernetes that allows Guidewire customers to run their insurance suite applications on the cloud. GWCP provides a number of benefits for customers including: faster time to market, scalability and elasticity, high availability, simplified operations, resource efficiency, and growing ecosystem integration. Apart from these, a secure software supply chain is of paramount importance when building a platform like Guidewire Cloud Platform (GWCP). As a platform as a service, it is designed to host Guidewire customers' insurance suite applications on the cloud, and its security must be taken seriously to ensure that the platform is reliable and trusted. We realized as we increased our market share and onboarded more customers onto our platform, we needed a more robust mechanism to provide evidence of security to our own compliance and auditing teams, which we are certain would be of immense value to our customers as well. Our current priorities are the following:
We started off initially to build our own solution inspired by the various secure software supply chain papers as well as research done in the area, and our aim to be as highly SLSA compliant as possible. GUAC came along as open-source software at the right time, helping us pivot away from building a bespoke solution, and involve ourselves with the best minds in this space who are behind the project. The most value we see with GUAC is its flexibility and plugin architecture helping the users achieve SLSA compliance at different levels.
By virtue of being a platform as a service, we are generating a lot of secure immutable artifacts like SBOMs, Attestations, Provenance, etc from different parts of the platform. We extend GUAC to our custom solution that is helping us to ingest, collate and present the information in a very consumable format for our internal teams as customers . To us, the biggest value that GUAC has been producing is its open nature and the community that is behind it from Google to Kusari and others. We are sure that as the industry progresses, the threats would become more complex, and relying on a tool that is backed by people with many years of experience in the area would make things easier for Guidewire to consume at the same time, we have had a very receptive Kusari team that are willing to take our suggestions.
As mentioned earlier, with the advent of more sophisticated technologies that can help engineer attacks, every software vendor both proprietary and open source would need to maintain vigilance. A few areas I think would garner more mind share as we progress are the following:
Our approach is to be pragmatic and at the same time involve ourselves with standards that would help benefit many companies in these areas. We hope to continue our research with our teams on these areas and bring value to our customers and the Guidewire community at large. At the same time, I hope to collaborate with like-minded institutions to build open source frameworks with the same goal for a wider audience and impact.
Guidewire is just one of many companies leveraging GUAC to enhance their understanding of software supply chains. They've found real value in its flexibility, community support, and compliance features. With use cases from security to compliance, GUAC has provided significant benefits for Guidewire, allowing them to navigate the ever-increasing complexities of software supply chain attacks with confidence.
So, where do you stand? What are your needs around software supply chain security and visibility? We're interested in hearing about your challenges and how you're working to better understand and secure your software supply chains. The future of software security relies on ongoing conversations and collaborations in the community.
The latest industry news, interviews, technologies, and resources.