The software program provide chain has emerged as a chief goal for cyberattacks lately, as evidenced by main incidents like SolarWinds and Log4Shell. To know how IT groups can get forward of provide chain threats, I spoke with two founders of Chainguard – Ville Aikas and Kim Lewandowski, at BlackHat 2023. Whereas at Google, Aikas, and Lewandowski had been co-creators of two actually widespread open-source applied sciences (Sigstore and SLSA, aka “Salsa”).
Provide chain assaults have pushed dwelling the dangers of third-party software program dependencies. However as Chainguard’s founders defined, options like Sigstore and the SLSA framework are bringing self-discipline to securing code provenance and integrity.
Sigstore, an open commonplace for cryptographically signing software program artifacts, is changing into ubiquitous for verifying part authenticity. Chainguard bakes Sigstore into its growth pipelines so prospects acquire trusted provenance “without cost” with out altering workflows.
The SLSA framework pioneered at Google offers prescriptive safety standards centered on verifying construct environments and processes. By producing SLSA attestations, Chainguard permits customers to validate photos that meet stringent SLSA ranges, guaranteeing no tampering.
Sigstore and SLSA resolve elementary challenges that beforehand made provide chain safety daunting:
- Provenance: Sigstore signatures cryptographically assert who constructed the parts and that they have not been modified.
- Construct integrity: SLSA attestations certify hardened environments, and safe workflows had been used to assemble software program.
- Automation: Sigstore and SLSA knowledge get generated robotically as a byproduct of Chainguard’s pipelines.
- Portability: Sigstore signatures and SLSA attestations journey with software program, validating safety wherever it runs.
By establishing ubiquitous requirements, Sigstore and SLSA allow routine verification of the origin and integrity of software program dependencies. Chainguard embodies the subsequent stage on this evolution by baking these capabilities into turnkey options builders can readily use.
The result’s the understanding that software program parts are pristine – with vulnerabilities remediated and safety hardened earlier than use. Chainguard’s founders imagine this essentially adjustments the economics, decreasing developer safety toil whereas exponentially bettering real-world threat discount.
Aikas described Chainguard as automating the massive “toil and time” of managing vulnerabilities launched through third-party software program parts. Reasonably than an infinite triage of scan outcomes, prioritization debates, and fruitless conferences, Chainguard identifies and addresses vulnerabilities on builders’ behalf.
On the core is Chainguard’s registry of vetted container photos rebuilt from scratch, with safety as the highest precedence. Lewandowski defined that by stripping unneeded bloat, hardening configurations, and proactively patching, Chainguard photos present “safe by default” containers with no vulnerabilities out of the field.
This enables builders to easily swap out a base picture from Docker Hub with a Chainguard various. Instantly the containers are bulletproof with none code adjustments. Chainguard handles every thing from scans to upgrades within the background, eliminating the trouble of remediation.
However that is solely a part of the story. Aikas famous that understanding your software program stock is the vital first step. Chainguard’s software program scanning instruments ship an entire catalog of functions and dependencies throughout environments. This visibility permits the enforcement of safety insurance policies and compliance requirements.
Chainguard additionally goals to deal with weak construct pipelines and developer toolchains. Lewandowski identified that organizations usually have little management over how code will get constructed, resulting in main safety gaps. By way of frameworks like SLSA, Chainguard bakes strong integrity checks into the internal growth loop.
Whereas challenges stay, Chainguard’s revolutionary strategy represents significant progress. By easing builders’ safety burden, the corporate strikes nearer to the elusive purpose of “provable software program” – the place customers can belief that third-party code meets stringent requirements earlier than being built-in. As software program permeates every thing, securing the availability chain is crucial. Chainguard’s automation options supply an easier path ahead.
Improvements like Sigstore and SLSA laid the groundwork to progress from theoretical provide chain safety to pragmatic options prepared for mainstream adoption. Chainguard is poised to drive this imaginative and prescient ahead at scale, leveraging requirements to make end-to-end software program integrity a actuality.
In abstract, Chainguard offers IT groups a complete toolkit to lock down software program provide chains. Constructed-in safety scanning illuminates dangers, whereas hardened containers proactively remove vulnerabilities additional up the lifecycle. The founders envision a future the place safety guides growth leftward by default quite than being an afterthought.