Note: Verizon Media is now known as Yahoo.
In October, the Paranoids — the information security team inside Yahoo — added key contributions to Grafeas, an open-source supply chain auditing tool.
Grafeas enables us to store critical metadata from various events that happen during the software development life-cycle including:
Ultimately, the Paranoids use this data to decide whether a particular version of software can be deployed to production. It enables us to enforce security policies such as preventing the deployment of software with known vulnerabilities.
This is part of our overall software supply chain security strategy.
For us, Grafeas is a critical piece of infrastructure. Downtime is unacceptable.
With RDS, we get the benefits of improved scalability and reliability — sans managing our own backend database.
Using RDS also gave us an additional security benefit. It uses Amazon’s IAM system, which helps us audit and control access and eliminates the need for static passwords or credentials.
But that’s not all we’re doing to improve the open-source project.
We worked with the Grafeas community to improve support for vulnerability information standards. These standards include CVSS v2 and CVSS v3, with CWE support in progress. We also improved Grafeas by adding database filtering for PostgreSQL, ultimately making queries more efficient.
Why are we telling you this? We’d love to hear if our contributions are actually working for you. So, fork it.
About the Authors
Aditya Mahendrakar is an Engineering Director in the Paranoids group at Yahoo. In his current role, he leads a team of passionate individuals who research and build security capabilities into Yahoo infrastructure and applications that help defend against various attacks.
Yonghe Zhao is a Software Dev Engineer in the Paranoids group at Yahoo. He is responsible for designing, implementing, testing, deploying, and maintaining security-related software systems at Yahoo. He uses Go, AWS, Ansible, Docker, Kubernetes, and PostgreSQL in his daily work.