Long Live Containerization!
Open source software (OSS) is pervasive — 90% of companies are now using OSS. But this reliance is a double-edged sword. Amid rising software supply chain attacks, we’re witnessing the fragility of open source projects upon which the world now depends.
To secure the cloud-native software supply chain, major industry and government bodies are now collaborating to protect these core projects. For example, OpenSSF, under the auspices of the Linux Foundation, recently met with The White House to disseminate best practices. This momentum follows a presidential executive order on improving the nation’s cybersecurity.
One aspect of this larger mission will be verifying the provenance of all open source dependencies. This is where Sigstore comes in—it’s an open source package for digitally verifying the authenticity of open source packages. While Sigstore can be broadly applied to any open source software, cloud-native applications will be among the first. Sigstore was recently introduced in the Kubernetes 1.24 release and is seeing adoption in other popular cloud-native projects, as well.
I recently met with Dan Lorenc, founder, and CEO of Chainguard. Chainguard, one of the companies backing Sigstore, is calling on the industry to standardize on Sigstore for digital signatures. According to Lorenc, Sigstore has the potential to significantly improve how we sign and verify digital artifacts.
Sigstore is similar to automated transport layer security (TLS) but for signing open source packages, explains Lorenc. It’s an open source project to help developers adopt cryptographic software signing for their software. With the protocol, developers can log in to obtain a certificate for free. Sigstore takes the pain out of signing management and can be integrated into most build systems, says Lorenc, meaning developers can automate the signature process when releasing software.
So, how does Sigstore work? Sigstore uses a handful of standalone open source projects to get the job done. First, developers authenticate with OpenID Connect to obtain a certificate issued by the Fulcio certificate authority. Fulcio then publishes the certificate to the Rekor transparency log, and developers then publish their signed artifacts. Then, end users can find or download signed artifacts and validate them against the transparency log to prove their authenticity.
Sigstore is versatile enough for signing all sorts of software types, from container images to tarballs and compiled binaries. The project also has its sights set on integrating with popular package managers such as PyPy and RubyGems.
In addition to its inclusion in the K8s 1.24 release, Lorenc foresees Sigstore becoming a standard applied within other cloud-native technology. For example, Cosign, another open source project by Sigstore, can be used to sign, verify and store a container image within an OCI-compliant registry. From WebAssembly to Helm charts, there are many key areas where the cloud-native development sphere could strategically use Sigstore.
Sigstore could even be used for manifest signing for software bill of materials (SBOMs). SBOMs require a software producer to spell out their internal makeup, similar to the ingredients of a food label. Signing an SBOM with Sigstore could help ensure the software has been verified and not tampered with along the way. “The two, when combined, do a good job of solving the big picture of getting more transparency in the supply chain,” says Lorenc.
Sigstore will likely complement other ongoing initiatives, such as Google’s SLSA, which provides automatic mechanisms to sign artifacts along the software supply chain. While SLSA is a critical part of security and integrity, says Lorenc, you can “still can have a garbage in/garbage out problem,” he said. Insecure credential managing on the build systems leaves a loophole or back door wide open. Thus, we need to ensure the build systems themselves are secure and apply basic security principles, he says.
While the National Institute of Standards and Technology (NIST) has yet to mandate the use of Sigstore, it could emerge as a compliance requirement in the future or, at least, as a corporate standard in the short term. “We hope that Sigstore pops out as the obvious choice,” says Lorenc. To support the Sigstore initiative, the Linux Foundation is actively assembling funding from both private and government bodies.
Sigstore began at the end of 2020 and launched out of a networking group in OpenSSF. At the time, the contributors were studying how package managers were verifying and signing releases and found a cobbled-together implementation across the board, says Lorenc.
Lorenc compares the state of things to HTTPS before automated TLS was made possible. The way cryptographic signatures used to work is that a certificate authority vendor would issue a web certificate to place on a webserver to prove you owned a domain. The burden then became renewing your certificates when your HTTPS expired.
Let’sEncrypt, from the non-profit Internet Security Research Group (ISRG), then sought to fully automate this process by letting anyone generate a certificate to display in their DNS records. By opening this capability for all to use, TLS use skyrocketed from 25% in 2013 to 81% in 2022. (Now, it’s pretty rare to see that pop-up warning of an untrustworthy site).
Much in the same way LetsEncrypt quickly automated TLS creation for the web, an open standard for automated signature could quickly verify the provenance for critical open source packages. “Sigstore aims to make software signing ubiquitous, in much the same way that LetsEncrypt made X.509 certificates for TLS commonplace,” writes Luke Hinds, Security Engineering Lead, Red Hat.
Wired recently described Sigstore as the “John Hancock and wax seal of the digital era.” Now, its inclusion in Kubernetes could signal increased adoption of Sigstore throughout the cloud-native stack. The project also comes at a time where proving the authenticity of the supply chain is critical to avoid malicious action.
Interestingly, over 80% of enterprises think it’s important for the security tools they use to be built upon open source software. This substantiates the viability of open standards for security.
The community around Sigstore is moving fast in the wake of recent attacks, Lorenc explains, with expansion quickly occurring into language ecosystems and package managers. According to Lorenc, the model is proven to work—now, the goal now is to standardize these APIs and encourage adoption.
Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.
Bill Doerrfeld has 65 posts and counting. See all posts by Bill Doerrfeld
In this webinar, we will examine how to reduce cloud security risk and eliminate existing complexity in the cloud, by using smarter unification tools that can help security professionals reduce risk in the cloud and DevOps teams to remain empowered and agile. The post Beyond Unification: How CNAP Should Reduce Cloud Security Risk appeared first on DevOps.com. […]
Kubernetes ingress is one of the most widely used resources across Kubernetes. It helps to expose your applications and services to the outside world. However, the networking landscape in Kubernetes has evolved significantly. Many modern use cases very quickly exposed the limitations of the ingress API. This led to the creation of the gateway API, […] The post Understanding the New Kubernetes Gateway API vs. Ingress appeared first on DevOps.com. […]
The OpenTelemetry project provides a single set of APIs, libraries, agents and collector services to capture distributed traces and metrics from your application. The biggest advantage? OpenTelemetry eliminates the need for vendor-specific integrations. For DevOps teams seeking to break down org silos and empower developers, SREs and platform teams with complete visibility and context, Lightstep’s […] The post Observability Best Practices and OpenTelemetry appeared first on DevOps.com. […]
Have you ever loved a technology so much that you decided to work for the company that makes it? This happens sometimes, but not often enough. The tool has to be at least really helpful, if not revolutionary. That was the case when Arun Jain found InsightFinder. Previously a financial institution solutions engineer, Arun joined […] The post Abracadabra: Achieving Zero Downtime With ANY Observability Tool appeared first on DevOps.com. […]
With more than 200 different cloud services, AWS makes it incredibly easy for digital businesses to spin up nearly any kind of IT service. With AWS Console, CLI and AWS Systems Manager, users have the power to do more in their cloud environments. The post Supercharge Your AWS Cloud Platform With Self-Service Cloud Ops appeared first on DevOps.com. […]
Join the CISO Talk Master Class live conversation. Part 6 brings all the elements into a cohesive, integrated strategy: continuous security strategy, leveraging frameworks, effective response strategies, growing next-gen security experts and communications that win and combat confusion. Join hosts Mitch Ashley and Mat Newfield and an elite panel of cybersecurity experts as they bring.. The post CISO Talk Master Class Episode: Catch Lightning in a Bottle – The Essentials: Bringing It All Together appeared first on Security Boulevard. […]
Even if you have a secure, compliant, correctly configured and continuously monitored cloud infrastructure, there are still major risks associated with your cloud-deployed apps. Secure cloud infrastructure does not mean secure applications, and solutions like cloud security posture management (CSPM) do not go deep enough into the application layer to ensure you are secure. There.. The post Why Cloud-Native Applications and APIs Are at Risk appeared first on Security Boulevard. […]
DevOps has been around for more than a decade. However, security teams still struggle to react to the drastic changes it brought to the SDLC. The influx of tooling needed to facilitate DevOps also brought with it added attack surface, complexity and a lack of visibility; all of which have left security teams on their.. The post Top 5 Reasons Why Effective SDLC Security Controls Are So Difficult appeared first on Security Boulevard. […]
Join Avraham Shulman as he provides a security overview of serverless applications as well as insights into what is unique about serverless and the attack vectors this architecture type leaves exposed. Then, he will discuss how to secure serverless workloads across the full development life cycle. The post When Less Is More: Full Life Cycle Serverless Security appeared first on Security Boulevard. […]
In this webinar, we will examine how to reduce cloud security risk and eliminate existing complexity in the cloud, by using smarter unification tools that can help security professionals reduce risk in the cloud and DevOps teams to remain empowered and agile. The post Beyond Unification: How CNAP Should Reduce Cloud Security Risk appeared first on Security Boulevard. […]
