From software program signing, to container photos, to a brand new Linux distro, an rising OSS stack is giving builders guardrails for managing the integrity of construct methods and software program artifacts.
SolarWinds and Log4j had been the 5 alarm fires that woke the trade as much as the insecurity of our software program artifacts and construct methods — the so-called “software supply chain security” downside. But it’s been a murky panorama to navigate for the builders and security engineering groups which can be attempting to determine the precise steps to lock down their construct environments.
The White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity foretold the arrival of Software Bills of Materials, basically an inventory of substances of what’s inside a software program bundle that may set up attestation and disclosure processes that have to be met for presidency expertise procurement.
Despite all of the security distributors’ finest efforts to whitewash their merchandise round software program supply chain security, it’s nonetheless unclear precisely how anybody is meant to construct or preserve these SBOMs. Recent memos out to the heads of federal companies merely underscore the “importance of secure software development environments” with out a lot helpful elaboration on find out how to get there.
But Linux, but once more, may assist clear up the quandary.
A tough security area in the hunt for finest practices
History reveals that builders will abide processes that take the guesswork out of securing methods, however provided that there’s a clear and prescriptive path that may be adopted with minimal disruption to their workflow. For instance, Let’s Encrypt is a certificates authority that made what was beforehand a complicated and burdensome area in transport layer security simple to resolve. Let’s Encrypt obtained huge developer adoption and locked down TLS for almost all of the net in a really quick time period.
SEE: Protect your small business from cybercrime with this darkish internet monitoring service (TechRepublic Academy)
But this software program supply chain security downside is way more nuanced than TLS. It touches construct methods, CI/CD, programming languages and their registries, all of the frameworks that builders use and their chains of custody. At the guts of this problem is the ubiquity of open supply software program, the transitive nature of OSS frameworks being shared throughout the entire methods that builders are constructing and the shortage of help that massively standard OSS initiatives usually obtain.
There’s been a number of throat clearing and loud proclamations in regards to the severity of the issue. But what’s a developer or security engineer truly presupposed to do?
A brand new reply from an rising stack
There is not any quantity of throwing cash on the downside that’s going to resolve this software program supply chain security problem and the complexity of incentivizing OSS maintainers to do the correct (safe) factor. What’s wanted are the correct instruments that put security into the palms of builders, all whereas guardrailing the method of locking down software program supply chains.
In latest months, open supply initiatives tackling key elements of this software program supply chain problem have bubbled up. A brand new stack is forming, and I consider we’re about to see theoretical conversations about software program supply chain security leapfrog into precise implementations and refinement of finest practices.
Second, SLSA — pronounced “Salsa” — and the Secure Software Development Framework are equally experiencing huge adoption as frameworks that explicitly information the method of locking down software program supply chain security. In their latest report, Securing the Software Supply Chain information for builders, U.S. nationwide security heavyweights NSA, CISA and ODNI referenced SLSA and SSDF 14 and 38 instances respectively.
A brand new distro referred to as Wolfi may show to be a vital new piece of the puzzle.
Linux to the rescue, once more
Dan Lorenc and Kim Lewandowski are the dynamic duo behind Sigstore, SLSA and associated open supply efforts that they co-created of their formal roles at Google. With a mission to make the software program supply chain safe by default on the startup, they co-founded Chainguard. Today they launched the first Linux distribution purpose-built for software program supply chain security: Wolfi.
SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)
Why a brand new distribution? What it actually boils right down to is that present approaches to vital vulnerabilities and exposures have a big blind spot. Linux distributions and bundle managers typically don’t distribute essentially the most present variations of software program packages, and builders are incessantly putting in purposes exterior of those confines. The rise of containers and the power to launch fashionable purposes a lot sooner than current distributions has additionally led to an rising variety of customers internet hosting their very own Linux kernel. The scanners that security distributors use can not discover these container photos in the event that they had been put in exterior of the bundle managers or distros, and subsequently miss a complete class of vulnerabilities inside them.
Why this issues is that you just clearly can’t measure the security of software program artifacts that you just don’t even know are operating in your atmosphere — that lesson was one of many large outputs of the Log4j vulnerability that had builders and security engineers scrambling.
Wolfi goals to repair this. Wolfi is an undistribution that Chainguard has constructed from supply with SBOMs and the signatures and compliance each step of the best way from the upstream packages, to the ultimate container photos. By utilizing Wolfi, Chainguard argues, builders don’t need to do binary evaluation scans, and SBOMs are created when software program gets constructed, not after the very fact.
Earlier this yr, Chainguard introduced Chainguard Images, the first distroless container base photos designed for a safe software program supply chain. Chainguard Images are constantly up to date base container photos that intention for zero-known vulnerabilities. With Wolfi, they’ve created a group Linux undistribution constructed with default security measures for the software program supply chain — it ships right this moment with base photos for stand-alone binaries, purposes like nginx and improvement tooling like Go and C compilers.
Why an undistro? According to Chainguard: “Containers are immutable by nature (so no upgrades/downgrades are required) and the kernel is provided by the host (simplifying package managers even further). To put it simply, distros were not designed for the way software is built today.”
What this stack may imply for shift-left security
In the early 2000s, the rise of the LAMP stack — Linux, Apache, MySQL, Pearl and Python — was a significant catalyst to the appearance of contemporary internet purposes, giving builders a secure and acquainted set of instruments that led to one of many largest waves of innovation the tech trade has seen.
This present evolution we’re seeing across the software program supply chain security stack has an identical vibe to it. We know that security has been steadily shifting left to builders, we all know that extra guardrails have to exist to assist builders assist themselves deliver extra security into their construct environments, but it surely’s been a really complicated area to decipher.
Disclosure: I work for MongoDB however the views expressed herein are mine.