|Wolfi Linux (Un)Distribution Secures The Software Supply Chain|
|Written by Nikos Vaggalis|
|Thursday, 22 September 2022|
Chainguard, the co-creator of Sigstore, has just launched Wolfi, a community Linux (un)distribution that is built with the default security measures necessary for securing the software supply chain.
The push for software supply chain integrity and transparency has left organizations struggling to build in software security measures like signatures, provenance, and SBOMs to legacy systems and existing Linux distributions. To that end, Sigstore is good but requires manual labor. There must be a better way of utilizing its facilities.
And what better than package all the work in an immutable container? Chainguard’s new Linux (un)distribution and build toolchain, Wolfi, is doing exactly that. It produces container images that meet the requirements of the secure software supply chain; that is images already provided with signing and sensible defaults.
Sensible defaults is certainly an answer to writing secure code. I discussed this notion when covering Semgrep, a tool that searches through code for flaws where plain regexes fall flat and using Static Application Security Testing would be overkill. Semgrep works by enforcing sensible defaults. Why is this important?
In a 2020 blog post, The future of AppSec and why I joined r2c, cybersec expert, Clint Gibler suggests that:
It’s impossible to find every bug, no matter how advanced your tools are.
Instead he argues the way forward is:
to build secure-by-default libraries and tools that developers can use to prevent entire classes of vulnerabilities by construction, and then make sure developers use them.This is what forward-thinking security teams at companies like Google, Microsoft, Facebook, Netflix, Dropbox, and more believe and have been investing in for years.
Modern web frameworks like Django, Ruby on Rails, and others have a number of secure defaults and built-in guardrails that make potentially dangerous tasks safe by default, including context sensitive output encoding (prevent XSS), tight integration with object relational mappers (prevent SQL injection), and more. In my and many others’ opinions, this is why overall web security has improved, not all of the fancy bug finding tools we’ve built.
Gibler's conclusion is that:
The future of AppSec is a one-two punch of secure defaults + lightweight enforcement of those defaults.
This "default-oriented" approach is now coming to container images near you thanks to Wolfi. The defaults it enforces on container images are:
These defaults address the following issues arising from running containers:
By tackling them, Wolfi gives developers the secure-by-default base they need to build software.
But what does the 'un' in (un)distribution mean? Wolfi is not a full Linux distribution designed to run on bare metal; instead it is a stripped-down version designed for the cloud era. It doesn't include a Linux kernel but relies on the environment, such as the container runtime, to provide it.
The images created by Wolfi are produced with the minimal of components to the point of not even having a package manager. This is in order to minimize dependencies as much as possible and as such it simplifies auditing, updating and transferring images as well as reducing the potential attack surface.
Furthermore the images are signed, rebuilt daily from upstream sources and have an accompanying SBOM generated at build time. The signatures and SBOMs are stored in a transparent registry and can be queried with Sigstore's cosign tool.
Of course, tooling means nothing without documentation, training and applying it to real use cases. For that reason Chainguard, concurrent with the launch of Wolfi, is also launching the Chainguard Academy. The Academy will deliver critical educational resources at no cost for every developer to get hands-on with the software supply chain security tooling and the recommended practices. The Academy will also offer an interactive terminal sandbox where developers will be able to work with Sigstore and Wolfi-powered container images from within their browsers.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 22 September 2022 )|