Software supply chain security gets its first Linux distro, Wolfi
From software signing, to container images, to a new Linux distro, an emerging OSS stack is giving developers guardrails for managing the integrity of build systems and software artifacts.
SolarWinds and Log4j were the five alarm fires that woke the industry up to the insecurity of our software artifacts and build systems — the so-called “software supply chain security” problem. But it’s been a murky landscape to navigate for the developers and security engineering teams that are trying to figure out the actual steps to lock down their build environments.
The White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity foretold the arrival of Software Bills of Materials, essentially a list of ingredients of what’s inside a software package that will establish attestation and disclosure processes that must be met for government technology procurement.
Despite all the security vendors’ best efforts to whitewash their products around software supply chain security, it’s still unclear exactly how anyone is supposed to build or maintain these SBOMs. Recent memos out to the heads of federal agencies merely underscore the “importance of secure software development environments” without much useful elaboration on how to get there.
But Linux, yet again, could help solve the quandary.
A tricky security domain in search of best practices
History shows that developers will abide processes that take the guesswork out of securing systems, but only if there is a clear and prescriptive path that can be followed with minimal disruption to their workflow. For example, Let’s Encrypt is a certificate authority that made what was previously a confusing and burdensome arena in transport layer security easy to solve. Let’s Encrypt received massive developer adoption and locked down TLS for the majority of the web in a very short period of time.
SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)
But this software supply chain security problem is much more nuanced than TLS. It touches build systems, CI/CD, programming languages and their registries, all the frameworks that developers use and their chains of custody. At the heart of this challenge is the ubiquity of open source software, the transitive nature of OSS frameworks being shared across all of the systems that developers are building and the lack of support that massively popular OSS projects typically receive.
There’s been a lot of throat clearing and loud proclamations about the severity of the problem. But what is a developer or security engineer actually supposed to do?
A new answer from an emerging stack
There is no amount of throwing money at the problem that is going to solve this software supply chain security challenge and the complexity of incentivizing OSS maintainers to do the right (secure) thing. What’s needed are the right tools that put security into the hands of developers, all while guardrailing the process of locking down software supply chains.
In recent months, open source projects tackling key aspects of this software supply chain challenge have bubbled up. A new stack is forming, and I believe we are about to see theoretical conversations about software supply chain security leapfrog into actual implementations and refinement of best practices.
First, Sigstore, an open source project with origins at Google, focused on software signing and roots of trust for artifacts, has become the de facto method that all three of the top programming language registries are officially using. GitHub recently announced it is using Sigstore for Javascript’s npm packages, Python is using Sigstore for its PyPi registry, and Java is using Sigstore for Maven. Earlier this summer, Kubernetes also shipped with Sigstore.
Second, SLSA — pronounced “Salsa” — and the Secure Software Development Framework are similarly experiencing massive adoption as frameworks that explicitly guide the process of locking down software supply chain security. In their recent report, Securing the Software Supply Chain guide for developers, U.S. national security heavyweights NSA, CISA and ODNI referenced SLSA and SSDF 14 and 38 times respectively.
A new distro called Wolfi could prove to be a critical new piece of the puzzle.
Linux to the rescue, again
Dan Lorenc and Kim Lewandowski are the dynamic duo behind Sigstore, SLSA and related open source efforts that they co-created in their formal roles at Google. With a mission to make the software supply chain secure by default at the startup, they co-founded Chainguard. Today they launched the first Linux distribution purpose-built for software supply chain security: Wolfi.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Why a new distribution? What it really boils down to is that current approaches to critical vulnerabilities and exposures have a huge blind spot. Linux distributions and package managers often do not distribute the most current versions of software packages, and developers are frequently installing applications outside of these confines. The rise of containers and the ability to release modern applications much faster than existing distributions has also led to an increasing number of users hosting their own Linux kernel. The scanners that security vendors use cannot find these container images if they were installed outside of the package managers or distros, and therefore miss a whole class of vulnerabilities inside of them.
Why this matters is that you obviously can’t measure the security of software artifacts that you don’t even know are running in your environment — that lesson was one of the big outputs of the Log4j vulnerability that had developers and security engineers scrambling.
Wolfi aims to fix this. Wolfi is an undistribution that Chainguard has built from source with SBOMs and the signatures and compliance every step of the way from the upstream packages, to the final container images. By using Wolfi, Chainguard argues, developers don’t have to do binary analysis scans, and SBOMs are created when software gets built, not after the fact.
Earlier this year, Chainguard announced Chainguard Images, the first distroless container base images designed for a secure software supply chain. Chainguard Images are continuously updated base container images that aim for zero-known vulnerabilities. With Wolfi, they have created a community Linux undistribution built with default security measures for the software supply chain — it ships today with base images for stand-alone binaries, applications like nginx and development tooling like Go and C compilers.
Why an undistro? According to Chainguard: “Containers are immutable by nature (so no upgrades/downgrades are required) and the kernel is provided by the host (simplifying package managers even further). To put it simply, distros were not designed for the way software is built today.”
What this stack could mean for shift-left security
In the early 2000s, the rise of the LAMP stack — Linux, Apache, MySQL, Pearl and Python — was a major catalyst to the advent of modern web applications, giving developers a stable and familiar set of tools that led to one of the biggest waves of innovation the tech industry has seen.
This current evolution we’re seeing around the software supply chain security stack has a similar vibe to it. We know that security has been steadily shifting left to developers, we know that more guardrails need to exist to help developers help themselves bring more security into their build environments, but it’s been a very confusing domain to decipher.
Disclosure: I work for MongoDB but the views expressed herein are mine.