Wake up about alarming incidents like the big 2017 of Russia NotPetya Malware Attack and 2020 of the Kremlin SolarWinds’ cyber espionage campaign—Starting by infecting software distribution wells — organizations around the world are scrambling to get a handle on software supply chain security. In general and for open source software in particular, Stronger defense lies in Knowing what software you’re actually running, the important focus is on listing all the small pieces that make up the whole and verifying that they are. That way, when you pack a box of heirloom software and stash it on a shelf, you’ll know there hasn’t been a living microphone or a Tupperware full of burned eggs in the box for years.
Creating a system to generate an inventory of what’s inside every box in every basement and garage is a big undertaking, but a new tool from security firm Chainguard aims to do just that. That’s for the software “container” that virtually all digital services today.
On Thursday, Chainguard launched a Linux distribution called Wolfi specifically designed for the way digital systems are actually built today in the cloud. Most consumers do not use Linux, the famous open source operating system, on their personal computers. (If they do, they don’t necessarily know it, as is the case with Android, which is built on a modified version of Linux.) But the open-source operating system is widely used in servers and facilities. cloud infrastructure around the world, in part because it can be deployed in such flexible ways. Unlike the operating systems of Microsoft and Apple, where your only choice is whichever flavor of ice cream they release, Linux’s open nature allows developers to create all sorts of flavors. — called “distribution” — to match specific needs and cravings. But the developers at Chainguard, who have worked in open source software for many years, including other Linux distributions, feel that an important flavor has been missing.
“What we did was build a distributed system that we felt would work well for businesses looking to seriously tackle chain security,” said Chainguard Principal Engineer Ariadne Conill. supply. “Different distributions have different pieces of software that they include — they are curated collections of software. By starting with a Linux distro that gets everything right from the start, it’s a huge advantage for software developers to get their own stuff. “
Think of software containers like a house built out of shipping containers. Everything you need to live is in there, but you can choose the container house and move it wherever it needs to be. If an operating system is like the appliances, wiring, plumbing and other infrastructure in a container house, that is what Wolfi is reviewing and pre-classifying to ensure security for the container. everything in your container house. Wolfi is designed to work seamlessly with other tools from Chainguard to help developers securely build and add software in their containers. In other words, it’s simple to claim furniture and personal belongings and add them to your brothel index. That way, if your home is broken into, it’s easier to determine what happened and how. And if you want to move abroad, you must have a detailed declaration to show customs.
Adolfo Garcia, a software engineer at Chainguard, said: “It’s exactly the same thing with software as it is with physical goods – there may be contraband or counterfeit that people are trying to hide and steal. slip”. “As for software, if you don’t have the ability to gather information at build time, you’re going to be missing a lot of it.”