From software program signing, to container pictures, to a brand new Linux distro, an rising OSS stack is giving builders guardrails for managing the integrity of construct methods and software program artifacts.
SolarWinds and Log4j have been the 5 alarm fires that woke the trade as much as the insecurity of our software program artifacts and construct methods — the so-called “software program provide chain safety” downside. But it surely’s been a murky panorama to navigate for the builders and safety engineering groups which are making an attempt to determine the precise steps to lock down their construct environments.
The White Home’s Could 2021 Government Order on Enhancing the Nation’s Cybersecurity foretold the arrival of Software program Payments of Supplies, primarily a listing of elements of what is inside a software program bundle that can set up attestation and disclosure processes that should be met for presidency know-how procurement.
Regardless of all the safety distributors’ greatest efforts to whitewash their merchandise round software program provide chain safety, it is nonetheless unclear precisely how anybody is meant to construct or keep these SBOMs. Latest memos out to the heads of federal businesses merely underscore the “significance of safe software program growth environments” with out a lot helpful elaboration on tips on how to get there.
However Linux, but once more, might assist clear up the quandary.
A difficult safety area in the hunt for greatest practices
Historical past reveals that builders will abide processes that take the guesswork out of securing methods, however provided that there’s a clear and prescriptive path that may be adopted with minimal disruption to their workflow. For instance, Let’s Encrypt is a certificates authority that made what was beforehand a complicated and burdensome area in transport layer safety simple to resolve. Let’s Encrypt acquired large developer adoption and locked down TLS for almost all of the online in a really quick time frame.
SEE: Defend your enterprise from cybercrime with this darkish net monitoring service (TechRepublic Academy)
However this software program provide chain safety downside is far more nuanced than TLS. It touches construct methods, CI/CD, programming languages and their registries, all of the frameworks that builders use and their chains of custody. On the coronary heart of this problem is the ubiquity of open supply software program, the transitive nature of OSS frameworks being shared throughout the entire methods that builders are constructing and the shortage of help that massively in style OSS tasks sometimes obtain.
There’s been quite a lot of throat clearing and loud proclamations concerning the severity of the issue. However what’s a developer or safety engineer really imagined to do?
A brand new reply from an rising stack
There isn’t a quantity of throwing cash on the downside that’s going to resolve this software program provide chain safety problem and the complexity of incentivizing OSS maintainers to do the fitting (safe) factor. What’s wanted are the fitting instruments that put safety into the arms of builders, all whereas guardrailing the method of locking down software program provide chains.
In latest months, open supply tasks tackling key points of this software program provide chain problem have bubbled up. A brand new stack is forming, and I imagine we’re about to see theoretical conversations about software program provide chain safety leapfrog into present implementations and refinement of greatest practices.
Second, SLSA — pronounced “Salsa” — and the Safe Software program Improvement Framework are equally experiencing large adoption as frameworks that explicitly information the method of locking down software program provide chain safety. Of their latest report, Securing the Software program Provide Chain information for builders, US nationwide safety heavyweights NSA, CISA and ODNI referenced SLSA and SSDF 14 and 38 instances respectively.
A brand new distro referred to as Wolfi might show to be a crucial new piece of the puzzle.
Linux to the rescue, once more
Dan Lorenc and Kim Lewandowski are the dynamic duo behind Sigstore, SLSA and associated open supply efforts that they co-created of their formal roles at Google. With a mission to make the software program provide chain safe by default on the startup, they co-founded Chainguard. At present they launched the primary Linux distribution purpose-built for software program provide chain safety: Wolfi.
SEE: Password breach: Why popular culture and passwords do not combine (free PDF) (TechRepublic)
Why a brand new distribution? What it actually boils right down to is that present approaches to crucial vulnerabilities and exposures have an enormous blind spot. Linux distributions and bundle managers typically don’t distribute probably the most present variations of software program packages, and builders are steadily putting in purposes outdoors of those confines. The rise of containers and the power to launch trendy purposes a lot quicker than present distributions has additionally led to an growing variety of customers internet hosting their very own Linux kernel. The scanners that safety distributors use can’t discover these container pictures in the event that they have been put in outdoors of the bundle managers or distros, and due to this fact miss a complete class of vulnerabilities within them.
Why this issues is that you simply clearly cannot measure the safety of software program artifacts that you do not even know are working in your setting — that lesson was one of many huge outputs of the Log4j vulnerability that had builders and safety engineers scrambling.
Wolfi goals to repair this. Wolfi is an undistribution that Chainguard has constructed from supply with SBOMs and the signatures and compliance each step of the best way from the upstream packages, to the ultimate container pictures. By utilizing Wolfi, Chainguard argues, builders do not should do binary evaluation scans, and SBOMs are created when software program will get constructed, not after the very fact.
Earlier this 12 months, Chainguard introduced Chainguard Photos, the primary distributed container base pictures designed for a safe software program provide chain. Chainguard Photos are repeatedly up to date base container pictures that intention for zero-known vulnerabilities. With Wolfi, they’ve created a group Linux undistribution constructed with default safety measures for the software program provide chain — it ships at the moment with base pictures for stand-alone binaries, purposes like nginx and growth tooling like Go and C compilers.
Why an undistro? In line with Chainguard: “Containers are immutable by nature (so no upgrades/downgrades are required) and the kernel is offered by the host (simplifying bundle managers even additional). To place it merely, distros weren’t designed for the best way software program is constructed at the moment.”
What this stack might imply for shift-left safety
Within the early 2000s, the rise of the LAMP stack — Linux, Apache, MySQL, Pearl and Python — was a significant catalyst to the arrival of recent net purposes, giving builders a steady and acquainted set of instruments that led to one of many largest waves of innovation the tech trade has seen.
This present evolution we’re seeing across the software program provide chain safety stack has an identical vibe to it. We all know that safety has been steadily shifting left to builders, we all know that extra guardrails have to exist to assist builders assist themselves convey extra safety into their construct environments, however it’s been a really complicated area to decipher.
Disclosure: I work for MongoDB however the views expressed herein are mine.