In the early days of the Internet, when there were only millions of sites (compared to 1.6 billion today), transport-layer security was not straightforward. Web developers could purchase certificates for browsers, but they were expensive, difficult to use, and poorly automated. We all remember visiting sites with no https setup and getting the security warning messages from our browsers.
SEE: Mobile Device Security Policy (TechRepublic Premium)
Then Let’s Encrypt came along, made TLS free, simple, and automated – and within a few years most of the web was encrypted. Developers want to do the right thing…it just has to be simple and automatic.
Today, we see another major security challenge for developers, where nothing is easy or automatic: software supply chain security. Open source projects and vendors are rushing to fill in the gaps.
We secured production but forgot to secure construction
Log4J and the question of how to lock down software supply chain artifacts was initially oversimplified into hot plugs on the broken maintainer and contributor models, as I wrote. But it’s so much more complicated than that.
“The baseline has grown for application security and infrastructure security,” said Dan Lorenc, CEO and co-founder of Chainguard. “People don’t reuse passwords everywhere. HTTPS is simple and appears on all websites. We no longer send passwords in clear text. Attackers aren’t succeeding with what they normally do, so they’re headed for the path of least resistance, which is supply chain attacks. If they’ve done a good job of protecting themselves, you can find a vendor they use, or an open source dependency, or a library, and then switch to all of their clients.
Prior to Chainguard, Lorenc spent nine years working on the infrastructure behind Google Cloud Platform. So he has some (read: a lot of) familiarity with solving this problem.
“Google’s internal security approach was amazing. They had to go through a years-long process to create it, but they basically had a system where no one could run code without multiple people approving it, to really protect user data. At that time, in 2012 or 2013, the developers really had no root in production, and it took several people to check everything.
But as the cloud arrived and everyone started working on containers and Kubernetes, Lorenc observed that developers in general were building on laptops or Jenkins machines under desks instead of revealing anything a secure building environment.
“All of a sudden the state of the art was to buy a Mac Mini, spend it, then put it under your desk, install Jenkins, then build from there,” said Lorenc, who at the time was working on Project Minikube, which has become the default way to run Kubernetes on a laptop. “I would put an 80 megabyte Go binary on GitHub and everyone would download it and run it as root on their laptops, and it was frankly terrifying. And that led me down this rabbit hole of – how do we fix this? »
What is missing is a root of trust for software artifacts
Lorenc met Chainguard co-founder Kim Lewandowski at Google, and they both tackled the issue of software supply chain security through a series of open source projects they co-created and co-maintained.
“The software development and deployment supply chain is quite complicated, with numerous threats along the source ➞ build ➞ release workflow,” Lewandowski said, in a blog post describing the general absence toolchain for developers that lock down software artifacts. “While there are point solutions for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats in the software supply chain and provides reasonable security guarantees. “
So, Lewandowski and Lorenc decided to solve the problem via open source. Tiers of the Supply Chain for Software Artifacts (aka SLSA, pronounced “salsa”), Sigstore, Tekton, and their other open source projects focus on different layers of an ultimate zero-trust security vision for data security. software supply chain – where every artifact can be verifiably traced back to the source code and hardware it was built on, and by whom.
Chainguard launches Enforce
Chainguard introduced these new roots of trust in its first commercial offering, called Enforce, which it launched today, less than five months after the company secured $5 million in seed funding led by Amplify Partners.
Enforce provides a curated set of policy definitions based on open source projects such as SLSA and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) standards.
The Enforce policy agent discovers what is running inside containers in the binary code itself, the container image. Developers can apply policies based on what the container image is, how it was created, and where it came from. And continuous verification ensures that deployed container images remain compliant with defined policies.
“We take this reverse approach where we look at what actually works rather than trying to block things at deployment time,” Lorenc said. “A lot of metadata related to software supply chains changes over time. If you only look at pre-deployment, you’re missing 90% of the problem. Because just because something had no critical vulnerabilities when you first built and deployed it doesn’t mean it still has no critical vulnerabilities three years later. So it’s really a continuous approach to the political system, rather than just a deployment approach.
Busy times ahead for supply chain security
This software supply chain security landscape is very early and will evolve very quickly. Last year, the White House Executive Order on Improving Cybersecurity very explicitly called for the requirement of a “formal record containing supply chain details and relationships of the various components used in the software creation”.
We spent decades building software and obsessing over making production secure, but then we built (too often) unpatched Jenkins boxes sitting under someone’s desk that nobody cares about.
A new class of open source projects and security vendors believe that your build system should be at least as secure as your production environment. And there will be a symbiotic relationship between open source projects and shielded commercial offerings like Enforce where vendors deliver a developer experience around this nuanced use case.
“Software supply chain security is quite unique,” Lorenc said. “You have a lot of different attack types that can target a lot of different points in the software lifecycle. You can’t just pick up security software, turn it on, and protect yourself from everything. I think we’re going to see a set of different open source frameworks like SLSA and SSDF being leveraged together to continue to evolve the way we lock down software supply chain security.
Disclosure: I work for MongoDB, but the opinions expressed here are my own.