Innovative Supply Chain Security For Enterprise Cloud Platform Service

How Guidewire Cloud Platform Is Using And Collaborating With GUAC

INDUSTRY

Insurance | Software / Cloud Platform

ABOUT

• GWRE (NYSE) based in San Mateo, California 
• Employs the largest research and development team in its industry
• Guidewire Cloud Platform (GWCP) runs more than 10,000 workloads of insurance suite applications
• Guidewire solutions are used by more than 540 insurers in 40 countries globally

KEY CHALLENGES

• Trace and trust running applications 
• Robust security evidence for compliance and auditing 
• Enforce deployment-gating security policies
• Protect against attacks and threats throughout the software supply chain
• View trends and analytics across projects 

VALUED OUTCOMES

• Flexible architecture that integrates with Guidewire’s platform and other software 
• Trace every step of a running application – from build to production 
• Meet security/compliance requirements for internal teams and pass that along as an advantage for customer

Guidewire is the platform that property and casualty insurers trust to engage, innovate, and grow efficiently. Combining digital, core, analytics, and machine learning, they deliver the Guidewire Cloud Platform (GWCP) and many other solutions that are used by more than 540 insurers in 40 countries around the world.

Guidewire has more than 10,000 workloads on its Guidewire Cloud Platform, or GWCP, running insurance suite applications on the cloud. GWCP is a platform as a service (PaaS) built on Kubernetes that enables Guidewire enterprise customers to enter the market faster with a competitive level of scalability and elasticity with the added benefit of traceability and compliance for software supply chain security. For GWCP, a secure software supply chain is paramount because it is designed to host Guidewire customers’ insurance suite applications on the cloud.

Scaling and Securing the Supply Chain

Anoop Gopalakrishnan, Guidewire’s VP of Engineering, vividly recalls the Log4Shell incident in 2021. Although the Guidewire engineering team handled the crisis with speed and ingenuity, this is not a scenario anyone wants to relive. Countless hours and sleepless nights were required to address each customer’s unique setup. First, a temporary fix was implemented as quickly as possible through the Guidewire Cloud Platform. Then, the most time was spent identifying where the permanent fix needed to be.

According to Anoop, “The challenge was identifying where the issue was for each customer and their unique system. Plus, finding out who was moving towards a patch was very difficult to coordinate.” 

As Guidewire increased in market share and onboarded more customers to the platform, Anoop and the engineering team began to build a more robust mechanism to provide evidence of security to their own compliance and auditing teams, which was in turn immensely valuable for their customers. 

They focused on the following priorities:

• How can we trace a running application down to all the steps that led up to its deployment in production?
• How do we demonstrate the contents of a platform’s running component, including the commits and third-party libraries it uses?
• How can we trust the trace graph?
• How can we empower our teams to enforce policies that can act as a gate to deny deployments to the platform based on specific libraries or their versions?
• How can we visualize the various trends across projects/teams and provide an analytic center to encourage better practices?
• How can we keep ourselves and our customers safe from man-in-the-middle attacks, supply chain poisoning, and software counterfeiting?

When searching for a solution, Anoop admits that he initially set out to build his own, inspired by the various secure software supply chain papers and research done in the area. And yet, he knew the open source community could hold a solution that his team could get started with immediately and build upon, tailoring it to their needs.

Turning to the Open Source Security Community

To prepare for the future, Anoop looked to the open source software (OSS) community. From his experience contributing to and using Spring Boot and other tech, he knew it was resourceful, quick, and brilliant at addressing nuanced, modern software problems. And he was right. The GUAC community of developers and engineers had developed an intelligent software supply chain security tool that would set Guidewire up for success. 

“Going back to the Log4Shell example, GUAC would have helped us identify where the vulnerability was, trace the fix process, and share that information with customers much more efficiently and effectively,” said Anoop.

“When I found Parth Patel, a GUAC maintainer, and the GUAC community, I reached out to see how development was going. Were they active? Were they interested in working with an external group to tailor this solution to our particular needs? These questions would provide critical feedback to me and allow me to consider whether it would be the right choice for us,” says Anoop.

Parth and Anoop hit it off, sharing each team’s goals, needs, and roadmap. The two teams meet monthly to discuss progress, needs, open PRs, and feedback. This allows GUAC and Guidewire to participate in a symbiotic relationship, proving what open source software can offer.

“The advantage we see with GUAC is its flexibility and plugin architecture, which helps users achieve SLSA compliance at different levels,” says Anoop. “Being a platform as a service, we are generating a lot of secure, immutable artifacts like SBOMs, attestations, and provenance from different parts of the platform. We extend GUAC to our custom solution, which helps us to ingest, collate, and present the information in a consumable format for our internal teams as customers,” says Anoop.

Guidewire also aims to create a policy engine on top of GUAC for their internal team as well as their enterprise customers in the cloud. This will enable everyone to go from ideation to production as fast and securely as possible.

“To us, the biggest value is GUAC’s open nature and the community behind it. We are pleased to be aligned with a tool backed by Google, Kusari and other engineers with many years of experience and expertise in this industry,” says Anoop.

Threats Continue, Proactive Security is Key

Sitting at the forefront of the software supply chain industry by way of maintaining a cloud platform, Anoop predicts supply chain threats will become more complex as the industry progresses.

In addition, Anoop shares there will continue to be a greater focus put on the following in terms of secure software development:

• Using AI/ML to detect, mitigate, and evolve to target new threats, thereby freeing up precious resources to focus on more strategic threats
• Bringing transparency to the entire software supply chain and a greater emphasis on bills of materials of various kinds, like Hardware BOMs, Environment BOMs, etc., while Software BOMs still take up the majority of the mindshare
• Collaborating within the organization with a focus on efficient data and transparency of the security process, which will result in a greater tendency for shift-left practices
• Software lifecycle-oriented approaches for detecting privacy concerns in code using static analysis
• Awareness and demand for provenance and attestations from vendors of software across the board

According to Anoop, “Our approach is to be pragmatic and at the same time involve ourselves with standards that can benefit many companies in these areas. This is what brought us to become more involved in the GUAC community. We continue researching these areas with our teams with the intention of bringing value to our customers and the Guidewire community at large.” 

Anoop hopes to collaborate with like-minded institutions to build open source frameworks and tools with the same goal.

Today, the Guidewire engineering team is in the development phase with GUAC. They look forward to maturing into the production phase, bringing GWCP the added compliance and dependency management capabilities while mitigating risks like another Log4Shell incident.

Learn More About GUAC

Graph for Understanding Artifact Composition, or GUAC, ingests and leverages metadata like Software Bill of Materials (SBOMs), SLSA attestations, and more to map out relationships between software components, enabling users to fully understand their software security position, and take appropriate, accurate action. See the latest releases, documentation and videos on GUAC’s architecture and how it works.