2 min Security

Google launches GUAC, open-source tool for software security reviews

Google launches GUAC, open-source tool for software security reviews

Google introduced GUAC, an all-new cybersecurity tool that combines strategic data from different sources to help developers efficiently review and analyze software security.

Google collaborated with Citibank NA, Purdue and Kusari to launch the tool, which helps companies find software vulnerabilities before incorporating software in their environments.

GUAC performs complex analyses to find hard-hitting software vulnerabilities. Using GUAC, software developers can better understand the software’s security by analyzing individual code components. Google developed the project in partnership with a technical advisory group that includes employees from various notable organizations, including Shopify, Intel and IBM.

“To understand something complex like the blast radius of a vulnerability, one needs to trace the relationship between a component and everything else in the portfolio — a task that could span thousands of metadata documents across hundreds of sources. In the open source ecosystem, the number of documents could reach into the millions”, engineers from Google’s open-source security team said in a blog post.

GUAC combines data from various sources

Many companies attempt to thoroughly ensure the security of software before fully incorporating software into their environments. This process can take substantive time and effort, as it involves reviewing extensive technical data spread throughout multiple systems. That’s where GUAC comes in. The tool collects and organizes data from different sources, allowing developers to quickly review software security.

GUAC merges SBOM data with SLSA and OpenSSF Scorecards. SLSA allows developers to add cryptographic signatures to software code. Reviewing cryptographic signatures allows companies to determine whether code was downloaded from a trusted source.

Moreover, GUAC helps developers to scan OpenSSF Scorecards to identify potential cybersecurity issues. Once the processing is complete, they can quickly review the database to asses if the respective application meets their cybersecurity requirements. Google has released GUAC in a ‘proof-of-concept phase’. It’s further being developed to expand the type of cybersecurity data that GUAC can process.

Tip: OutSystems CEO: “Shift-left is great for us, it fits our environment very well”