The modern software supply chain is made up of the many components that go into its creation: people, processes, dependencies, and tools.
This goes beyond application code, which is typically the primary focus of existing DevSecOps tools.
The ever-increasing software supply chain today requires a whole new security mechanism. The problem, though, is that many businesses struggle to secure their software supply chains at all.
Katie Norton, IDC senior research analyst for devops and DevSecOps, said the challenge of securing the software supply chain is significant and complex for virtually every organization. "And, the many entry points into the software supply chain constitute a significant risk that has gone unnoticed in many organizations."
A fresh approach
Chainguard has announced Wolfi, a new community Linux (un)distribution that will leverage existing container base images with standard security measures such as software signatures powered by Sigstore, and software bills of material.
The company is also announcing Chainguard Academy, the first free, open source, and interactive educational platform for software supply chain security. Additionally, the chainguard Enforce platform is now available for purchase.
"One of the biggest threats to securing the software supply chain is the way that we build software today," said Chainguard's founder and CEO. "The tools we use to build software were not designed for the speed and scale of its use, which results in clunky architecture that is difficult for bad actors to exploit or manipulate."
Governments around the world are asking questions and demanding assurances in software. Yet while vendors — both existing and new — are posing solutions, they fail to address the root issue: "Software must undergo a significant transformation," according to Lorenc.
But first, we need to identify the software supply chain.
The most recent IBM 2022 Cost of a Data Breach Report included one of the first statistics on supply chain security, revealing that almost one-fifth of businesses were breached due to a software supply chain breach.
Norton addresses one of the biggest challenges: simply recognizing and identifying all the various ways bad actors may exploit the software supply chain.
When people refer to "software supply chain security," they often refer to open-source software vulnerabilities such as Log4Shell. However, this is only a part of the threat surface.
Norton identified a few supply chain assault vectors, including infrastructure-as-code (IaC) errors and a misconfiguration in the CI/CD pipeline that may reveal sensitive information or serve as an entrance point for malicious activity. Another danger is the misuse of developer credentials, often due to poor governance or failure to follow least-privilege measures.
Lastly, there are web-based hacking tools and techniques that are readily available. "You do not require advanced knowledge to break into your company's software supply chain," said Norton.
The good news is that, thanks to increased exploits — and, along with them, increasing awareness — the software supply chain market is "an evolving domain," with new competitors constantly entering the market.
From the start, ensuring security is a top priority.
The majority of today's workloads are run on containers and distros, designed for an earlier time, which has led to significant gaps when it comes to container running.
Container images tend to be ahead of upstream updates, meaning users are installing packages manually or outside package managers and running images with known vulnerabilities, according to the author. Many container images have no provenance information, making it difficult to verify where they came from or if someone has tampered with them. Naturally, this increases the vulnerability surface.
Lorenc believes the only way to remedy these problems is to develop a distribution suitable for container and cloud native environments.
Wolfi is a container-specific distribution that can "significantly simplify" the development process by eliminating traditional — and often irrelevant — distribution features, according to the researcher. It also allows developers to recognize the immutable nature of containers and avoid package updates altogether, rather than rebuilding from scratch with new versions.
"Software has flaws that will never be corrected," Lorenc said. "We must begin where development begins — with developers — and provide tools that make the development lifecycle secure by default, from design to production."
The essentials of a modern software supply chain
According to Lorenc, Wolfi provides purpose-built Chainguard images that are designed with minimal components to help minimize an enterprise's attack surface and generate SBOMs at the time of development. It is entirely reproducible by default, meaning every package may be rebuilt from Chainguard's source code.
"This means a user will get the same package," he added. It also allows developers to create images that are "tamper-proof and trusted."
He pointed out that the company is preparing an SBOM at the start of developing software, not after the fact. The base is secure by default, expands to support organizations operating large environments, and provides the control required to resolve most modern supply chain problems.
“Reverse engineering SBOMs isn't going to work, nor will they be effective,” said Lorenc. „Wolfi helps address this challenge.“
Chainguard Enforce is now widely available. It includes new features such as “agentless” mode, SOC2 Type 1 certification, curated security policies, and integrations with CloudEvents, OPA Gatekeeper, Terraform provider, and Vault.
A more holistic perspective
Norton advises organizations to "look more holistically" at software supply chain security.
"Focusing only one component of the software supply chain is both unscalable and inadequate," she said. "All the software supply chain attack vectors are interrelated and interdependent."
Organizations should also lock and guard all digital entry points into their software factories, in addition to securing independent components of their applications.
Norton said that locking your front door while keeping the back door open is equivalent to locking the entire house.
Organizations must find robust software development solutions that protect the software development lifecycle. Established DevSecOps and application security testing companies are increasingly integrating software supply chain security into their larger platforms, so organizations should look to their current partners to understand their capabilities, according to the author.
The government of the United States will continue to provide tremendously powerful forces into the future, including Biden's Executive Order on Improving the Nation's Cybersecurity, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget memos.
Norton warns that "non-governmental organizations" will have to perform the same due diligence as software suppliers that sell to the government.
Education is critical.
Lisa Tagliaferri, Chainguard's head of developer education, believes that the supply chain security issue is further aggravating due to an ever-changing technical landscape and a lack of open-source software tools, such as Sigstore.
This prompted Chainguard Academy, which provides free educational materials and recommended practices for software supply chain security testing.
"Our goal was to provide software engineers and technology executives with the tools and solutions they need to be able to identify, mitigate, and correct software threats early and often throughout their development lifecycle," said Tagliaferri.
The academy builds on previous educational offerings, including Securing Your Software Supply Chain with a Sigstore course in partnership with the Linux Foundation and edX.
Chainguard Academy users will be able to interact with Sigstore and distroless container images directly from their browsers via an interactive sandbox terminal.
Tagliaferri believes that assisting close this skill gap is critical to ensuring that all educational resources are accessible. We all must do our part to assist solve the software supply chain security challenge.