The following are some of the use cases that we've seen that GUAC can help solve towards. If you have any other use cases not covered here, please let us know.
- Organizations be able to share SBOM and software metadata for their software, and allow others to reason about it
- An organization’s security operators can perform prioritization on
organization software risk and make policies around them
- Querying top artifact usage by ecosystem (Java, NPM, Go, Python, etc)
- Querying artifacts with a high number of distinct vulnerabilities
- Dashboard for organization remediation priorities
- Security operators can determine blast radius (or through reports of affected
products) of a bad package or a vulnerability and provide information and a
patch plan towards remediation. (optionally with asset databases)
- New vulnerability surfaced, where did it come from? How to remediate (CVE Reported through existing tooling ( Snyk, Blackduck, or static analysis ) or GUAC)
- “Check engine light is on”. What now? Provide guidance to remediate
- Determine root cause of CVE showing up in scan
- As an engineer, I want to understand exactly where a vulnerable dependency is in my supply chain so that I can remediate quickly and confidently. Additionally, be confident it will not come back again.
- Security team notify appropriate team of CVE (Organizations tend to have
massive CVE reports sorted by criticality without attribution)
- As a security engineer, I want to alert the appropriate team of a vulnerability to reduce noise on the rest of the organization.
- Vendors are able to provide additional threat data to customers that they can apply to their organization policies and decisions
- Security operators can provide consistent policy enforcement across the entire SDLC from dev, build to prod
- Auditors want to be able to determine the security of provenance of software
being used.
- Provide the chain of evidence at a specific point in time to show who had which pieces of information when in the case of an audit.
- As an auditor, I want to understand if there was a vulnerability known at the time of an incident, as well as if that information was known to the engineering team at that time, so we can trace accountability to the appropriate internal organization
- Licensing use case (transitive open source license)