Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
The contemporary software supply chain is made up of the many components that go into developing it: People, processes, dependencies, tools.
This goes far beyond application code — typically the main focus of existing DevSecOps tools.
Thus, today’s increasingly complex software supply chain requires a whole new security method. The quandary, though, is that many organizations struggle to not only secure their software supply chains — but to identify them.
“The challenge of securing the software supply chain is significant and complex for virtually every organization,” said Katie Norton, IDC senior research analyst for devops and DevSecOps. “And, the many entry points into the software supply chain constitute a significant risk that has gone unaccounted for in many organizations.”
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
A new approach
To address the growing issue, Chainguard today announced Wolfi, a new community Linux (un)distribution. It combines aspects of existing container base images with default security measures that will include software signatures powered by Sigstore, provenance and software bills of material (SBOMs).
The company is also announcing Chainguard Academy, the first free, open source and interactive educational platform designed for software supply chain security. Additionally, its Chainguard Enforce platform is now generally available.
“One of the biggest threats to securing the software supply chain is the way that we build software today,” said Dan Lorenc, Chainguard founder and CEO. “The tools we use to build software were not designed for the speed and scale of its use, which results in clunky architecture that is easy for bad actors to exploit or tamper with.”
Governments around the world are asking questions and demanding guarantees in software. And while vendors — both existing and new — are providing tools, they fail to address the deeper problem: “The need for a fundamental shift in the way software is built,” said Lorenc.
But first: Identifying the software supply chain
The latest IBM 2022 Cost of a Data Breach Report provided one of the first analyses of supply chain security, revealing that nearly one-fifth of organizations were breached due to a software supply chain compromise.
One of the biggest hurdles: Simply recognizing and identifying all the different ways bad actors can exploit the software supply chain, said Norton.
When people say “software supply chain security,” they often think of exploiting open-source software vulnerabilities such as Log4Shell. But this is only part of the attack surface.
A few supply chain attack vectors Norton identified include misconfigurations and hard-coded secrets in infrastructure-as-code (IaC) and misconfiguration in the CI/CD pipeline that can expose sensitive information or can be used as an entry point for malicious activity. Another threat is compromised developer credentials, often the result of poor governance or failure to apply least-privilege principles.
Then there are hacking tools and techniques that are readily available on the web. “Advanced skills are not requisite for someone to breach your company’s software supply chain,” said Norton.
The good news is that, with increased instances of exploits — and, with them, growing awareness — the software supply chain market is “an evolving domain” with new competitors constantly entering the space, she said.
Building in security from the start
As Lorenc explained, most of today’s workloads run on containers and distros were designed for an earlier era. This, coupled with new supply chain security risks, has exposed major gaps when running containers.
For example, container images tend to lag behind upstream updates, meaning users are installing packages manually or outside package managers and running images with known vulnerabilities, he said. Many container images have no provenance information, making it difficult to verify where they came from or if someone has tampered with them. Naturally, this increases the attack surface.
“The only way to solve these problems is to build a distribution designed for container/cloud native environments,” said Lorenc.
Wolfi is a container-specific distribution that can “vastly simplify” the process by dropping support for traditional — and often irrelevant — distribution features, he said. It also allows developers to grasp the immutable nature of containers and avoid package updates altogether, instead rebuilding from scratch with new versions.
“The reality is that software has vulnerabilities and that will never change,” said Lorenc. “And to begin to improve software supply chain security, we must begin where development begins — with developers — and provide tools that make the development lifecycle secure by default, from build to production.”
The requirements of a modern software supply chain
Wolfi enables purpose-built Chainguard images that are designed with minimal components to help reduce an enterprise’s attack surface and generate SBOMs at the time of development, said Lorenc. It is completely reproducible by default, meaning every package can be rebuilt from Chainguard’s source code.
“This means a user will get the same package,” he said. It also allows developers to build images that are, “tamper-proof and trusted.”
The company is producing an SBOM at the start of building software — not after the fact, he pointed out. The base is secure by default, scales to support organizations running massive environments, and provides the control needed to fix most modern supply chain threats.
“Reverse engineering SBOMs isn’t going to work and will defeat the purpose of them before they can even be used effectively,” said Lorenc. “Wolfi helps to address this problem.”
Chainguard Enforce is also now generally available. The supply chain risk management platform was launched as an early access program in April. It now includes new features such as “agentless” mode, a re-designed user interface with security metrics, SOC2 Type 1 certification, curated security policies and alerting and integrations with CloudEvents, OPA Gatekeeper and Styra, Terraform provider and Vault.
A more holistic view
All told, organizations should “look more holistically” at software supply chain security, said Norton.
“Focusing only one dimension of the software supply chain is both unscalable and inadequate,” she said. “All the software supply chain attack vectors are interrelated and interdependent.”
So, in addition to securing independent components of their applications, organizations should lock and guard all digital entry points into their software factories.
“Securing only one attack entry point is the equivalent of locking the front door of your house while leaving the back door open,” said Norton.
Organizations must find comprehensive tools that provide protection across the software development lifecycle. Established DevSecOps and application security testing vendors are increasingly incorporating software supply chain security into their larger platforms, so organizations should look to their current partners to understand their capabilities, she said. At the same time, the rapidly growing number of startups attacking this challenge should not be overlooked.
Going forward, guidance and regulations from the U.S. government — such as Biden’s Executive Order on Improving the Nation’s Cybersecurity, guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget memos — will continue to be incredibly powerful forces. She credits these as a “significant contributor to how rapidly software supply chain security has become top of mind.”
“It’s not only software suppliers that sell to the government that are going to be impacted — there will be downstream impacts,” said Norton. “As more software suppliers adopt these standards, non-governmental organizations will expect the same due diligence.”
Education is critical
Further exacerbating the supply chain security issue is a lack of comprehensive education, said Lisa Tagliaferri, Chainguard’s head of developer education. This is a barrier to wider adoption of software supply chain security recommendations, and is due to an “ever-changing technical landscape” and a lack of open-source tooling like Sigstore.
This prompted Chainguard Academy, which provides free educational resources and recommended practices for software supply chain security tooling.
“A driving force behind our effort was to provide software engineers and technology leaders the resources they need to be able to identify, mitigate and fix software vulnerabilities through tools and solutions that allow them to address security early and often across their development lifecycle,” said Tagliaferri.
The Academy builds on the company’s previous educational efforts, including Securing Your Software Supply Chain with Sigstore course in partnership with the Linux Foundation and edX.
Developers using Chainguard Academy will also be able to work with Sigstore and distroless container images directly from their browsers through an interactive sandbox terminal.
“We believe that a key part of making the software supply chain secure by default is to help close this skills gap,” said Tagliaferri. “To achieve this goal, it was important that we kept critical educational resources open to everyone because we all have to do our part to help solve the software supply chain security problem.”