Chainguard, the co-creator of Sigstore, has just launched Wolfi, a community Linux (un)distribution that is built with the default security measures necessary for securing the software supply chain.

The push for software supply chain integrity and transparency has left organizations struggling to build in software security measures like signatures, provenance, and SBOMs to legacy systems and existing Linux distributions. To that end, Sigstore is good but requires manual labor. There must be a better way of utilizing its facilities.

And what better than package all the work in an immutable container? Chainguard’s new Linux (un)distribution and build toolchain, Wolfi, is doing exactly that. It produces container images that meet the requirements of the secure software supply chain; that is images already provided with signing and sensible defaults.

Sensible defaults is certainly an answer to writing secure code. I discussed this notion when covering Semgrep, a tool that searches through code for flaws where plain regexes fall flat and using Static Application Security Testing would be overkill. Semgrep works by enforcing sensible defaults. Why is this important?

In a 2020 blog post, The future of AppSec and why I joined r2c, cybersec expert, Clint Gibler suggests that:

It’s impossible to find every bug, no matter how advanced your tools are.

Instead he argues the way forward is:

to build secure-by-default libraries and tools that developers can use to prevent entire classes of vulnerabilities by construction, and then make sure developers use them.This is what forward-thinking security teams at companies like Google, Microsoft, Facebook, Netflix, Dropbox, and more believe and have been investing in for years.

For example:

Modern web frameworks like Django, Ruby on Rails, and others have a number of secure defaults and built-in guardrails that make potentially dangerous tasks safe by default, including context sensitive output encoding (prevent XSS), tight integration with object relational mappers (prevent SQL injection), and more. In my and many others’ opinions, this is why overall web security has improved, not all of the fancy bug finding tools we’ve built.

Gibler's conclusion is that:

The future of AppSec is a one-two punch of secure defaults + lightweight enforcement of those defaults.

This "default-oriented" approach is now coming to container images near you thanks to Wolfi. The defaults it enforces on container images are:

• build-time SBOM as standard for all packages
• packages are designed to be granular and independent to support minimal images
• uses the proven and reliable APK package format
  enables fully declarative and reproducible build systems
• supports glibc and musl

These defaults address the following issues arising from running containers:

• Container images tend to lag behind upstream updates, resulting in users running images with known vulnerabilities
• The common distros used in container images also lag behind upstream versions, resulting in users installing packages manually or outside of package managers
• Container images typically contain more software than they need to, resulting in an unnecessarily increased attack surface
• Many container images have no provenance information making it difficult to verify where they came from or if someone has tampered with them
• They are typically not designed to meet compliance requirements or standards like SLSA

By tackling them, Wolfi gives developers the secure-by-default base they need to build software.

But what does the 'un' in (un)distribution mean? Wolfi is not a full Linux distribution designed to run on bare metal; instead it is a stripped-down version designed for the cloud era. It doesn't include a Linux kernel but relies on the environment, such as the container runtime, to provide it.

The images created by Wolfi are produced with the minimal of components to the point of not even having a package manager. This is in order to minimize dependencies as much as possible and as such it simplifies auditing, updating and transferring images as well as reducing the potential attack surface.

Furthermore the images are signed, rebuilt daily from upstream sources and have an accompanying SBOM generated at build time. The signatures and SBOMs are stored in a transparent registry and can be queried with Sigstore's cosign tool.

Of course, tooling means nothing without documentation, training and applying it to real use cases. For that reason Chainguard, concurrent with the launch of Wolfi, is also launching the Chainguard Academy. The Academy will deliver critical educational resources at no cost for every developer to get hands-on with the software supply chain security tooling and the recommended practices. The Academy will also offer an interactive terminal sandbox where developers will be able to work with Sigstore and Wolfi-powered container images from within their browsers.

More Information

Wolfi

Chainguard

Chainguard images

Chainguard Academy

Related Articles

Protect The Software Supply Chain With Gitsign

Securing Your Software Supply Chain With This Free Course

Semgrep - More Than Just a Glorified Grep

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info