Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC - Jeff Mendoza, Kusari & Ben Hirschberg, ARMO
Abstract
The best way to secure your software is to know what’s in it. But do you use software bills of materials (SBOMs) at build time or do you scan what’s actually running? Build-time analysis lets you know what’s in your application before you deploy it. Run-time analysis tells you what’s actually in use right now. With GUAC’s Kubescape integration, you can have both. GUAC, an OpenSSF incubating project, creates a graph database of your supply chain information from many sources and supports querying to derive insights. It now supports collecting cluster scan data from Kubescape, a CNCF sandbox project that provides comprehensive security coverage. Used together, they provide a powerful tool for consuming, storing, managing, and analyzing software supply chain information that reflects what software is used, not just what is compiled into the environment.