Cutting-Edge GUAC Graph Database Set to Revolutionize Cloud Security with SBOMs

The tech industry is grappling with the challenge of applying software bill of materials (SBOM) data to cloud-native applications, but an open source group is preparing to unveil the first working version of a graph database project aimed at addressing this issue.

Called the Graph for Understanding Artifact Composition (GUAC), the project was developed by engineers from Google, Kusari, Purdue University, and Citi, with participation from other major tech vendors like Red Hat and Snyk. According to the project’s public roadmap, it is set to release a version 0.1 beta by March 31.

The GUAC beta will provide a platform where users can input documents from SBOMs and Supply-chain Levels for Software Artifacts (SLSA) and query that information. Previous software supply chain security initiatives such as Sigstore and SLSA have primarily focused on generating records for software builders. However, GUAC will enable users to utilize this information to reduce potential security vulnerabilities.

During a presentation at the Cloud Native SecurityCon in February, Ian Lewis, a developer advocate at Google Cloud, explained that “We haven’t totally solved the problem of getting information about the artifacts that we’re consuming…and how they relate to each other. GUAC…is used to ingest metadata and information about artifacts, and then allows for querying, understanding, and visualizing the relationships between those different types of artifacts.”

GUAC stores metadata about the provenance of software artifacts in a Neo4j graph database that’s accessed via GraphQL. As cloud-native applications grow increasingly complex, distributed, and ephemeral, knowledge graph systems such as GUAC are gaining traction in IT management because they can efficiently map complex relationships between data sets.

The GUAC project tackles a problem that IT organizations face in using SBOM information in cloud-native IT environments. In Kubernetes deployments, for instance, application components can be brief, and the relationships between them can change rapidly, making it challenging to track using traditional databases and static SBOM file formats.

The GUAC project initially emerged from discussions in the Cloud Native Computing Foundation (CNCF) Security Technical Advisory Group in July 2022 after President Joe Biden’s Executive Order 14028 included SBOMs as part of a new baseline of software security standards for the federal government. However, initial guidance on how to use SBOMs from government agencies was limited to on-premises software deployments, and cloud-native SBOM instructions were postponed pending further industry development.

Advancing cloud-native security through a comprehensive approach

The Graph for Understanding Artifact Composition (GUAC), an open-source graph database project that aims to provide a comprehensive solution to cloud-native security, is set to launch its beta version by March 31. Developed by engineers from Google, Kusari, Purdue University, and Citi, GUAC aims to provide a system that can ingest documents from software bills of material (SBOMs) and Supply-chain Levels for Software Artifacts (SLSA) and map the relationships between them in a way that is useful for both proactive and reactive security.

Jacques Chester, senior staff software developer at e-commerce service provider Shopify and a member of GUAC’s technical advisory committee, praised the beta release as being in line with his vision for a universal asset graph. However, he noted the need to flesh out how the relationships between assets are mapped in more detail, including tracking changes over time. The historical analysis is crucial for a comprehensive approach to cloud-native security, allowing for both reactive responses to vulnerabilities and proactive measures to prevent them.

According to Ian Lewis, a developer advocate at Google Cloud, GUAC’s knowledge graph system stores metadata about the provenance of software artifacts in a Neo4j graph database that’s accessed via GraphQL. This allows for efficient mapping of complex relationships between data sets, which is essential for tracking short-lived and rapidly changing application components in cloud-native environments like Kubernetes deployments.

Melinda Marks, an analyst at TechTarget’s Enterprise Strategy Group, believes that a comprehensive approach to cloud-native security could ultimately be more effective than traditional security measures. With the ability to quickly and efficiently track changes and identify which artifacts need more attention, cloud-native security can help organizations respond to vulnerabilities at runtime with greater speed and efficiency.

SBOM graph database: A call for community-driven security

While software supply chain security products for cloud-native apps exist, senior staff software developer at e-commerce service provider Shopify, Jacques Chester, argues that such systems should be a public good offered by vendor-neutral groups like the Open Source Security Foundation (OpenSSF).

Chester believes that OpenSSF might have to host a public instance of the Graph-based Universal Asset Catalog (GUAC) in the future, given the dearth of skilled experts in cutting-edge graph databases and the need for a trusted custodian.

Currently, the project is not governed by any specific open-source foundation, and there is uncertainty whether GUAC will follow the path of Kubernetes, which formed the basis for the Cloud Native Computing Foundation, or of Knative and Istio, which took years for Google to donate to CNCF.

Melinda Marks, an analyst at TechTarget’s Enterprise Strategy Group, believes GUAC will follow the Kubernetes route, taking a leading stance on community-driven security.

With the ultimate goal of providing proactive and reactive security, the next step for GUAC will be to map relationships between assets in more detail, allowing for historical analysis. This comprehensive approach could make cloud-native security more effective than traditional security.

In light of the benefits of a community-driven security approach, the call for GUAC to be offered as a public good is stronger than ever, ensuring that it is accessible to everyone who needs it.