Securing the Software Supply Chain: Chainguard Builds on Foundational Innovation

The software supply chain has emerged as a prime target for cyberattacks in recent years, as evidenced by major incidents like SolarWinds and Log4Shell. To understand how IT teams can get ahead of supply chain threats, I spoke with two founders of Chainguard – Ville Aikas and Kim Lewandowski, at BlackHat 2023. While at Google, Aikas, and Lewandowski were co-creators of two really popular open-source technologies (Sigstore and SLSA, aka “Salsa”). 

Supply chain attacks have driven home the risks of third-party software dependencies. But as Chainguard's founders explained, solutions like Sigstore and the SLSA framework are bringing discipline to securing code provenance and integrity.

Sigstore, an open standard for cryptographically signing software artifacts, is becoming ubiquitous for verifying component authenticity. Chainguard bakes Sigstore into its development pipelines so customers gain trusted provenance "for free" without changing workflows.

The SLSA framework pioneered at Google provides prescriptive security criteria focused on verifying build environments and processes. By generating SLSA attestations, Chainguard enables users to validate images that meet stringent SLSA levels, ensuring no tampering.

Sigstore and SLSA solve fundamental challenges that previously made supply chain security daunting:

• Provenance: Sigstore signatures cryptographically assert who built the components and that they haven't been modified.
• Build integrity: SLSA attestations certify hardened environments, and secure workflows were used to assemble software.
• Automation: Sigstore and SLSA data get generated automatically as a byproduct of Chainguard's pipelines.
• Portability: Sigstore signatures and SLSA attestations travel with software, validating security wherever it runs.

By establishing ubiquitous standards, Sigstore and SLSA enable routine verification of the origin and integrity of software dependencies. Chainguard embodies the next stage in this evolution by baking these capabilities into turnkey solutions developers can readily use.

The result is the certainty that software components are pristine – with vulnerabilities remediated and security hardened before use. Chainguard's founders believe this fundamentally changes the economics, reducing developer security toil while exponentially improving real-world risk reduction.

Aikas described Chainguard as automating the huge "toil and time" of managing vulnerabilities introduced via third-party software components. Rather than an endless triage of scan results, prioritization debates, and fruitless meetings, Chainguard identifies and addresses vulnerabilities on developers' behalf.

At the core is Chainguard's registry of vetted container images rebuilt from scratch, with security as the top priority. Lewandowski explained that by stripping unneeded bloat, hardening configurations, and proactively patching, Chainguard images provide "secure by default" containers with no vulnerabilities out of the box.

This allows developers to simply swap out a base image from Docker Hub with a Chainguard alternative. Suddenly the containers are bulletproof without any code changes. Chainguard handles everything from scans to upgrades in the background, eliminating the hassle of remediation.

But that's only part of the story. Aikas noted that understanding your software inventory is the critical first step. Chainguard's software scanning tools deliver a complete catalog of applications and dependencies across environments. This visibility enables the enforcement of security policies and compliance standards.

Chainguard also aims to address vulnerable build pipelines and developer toolchains. Lewandowski pointed out that organizations often have little control over how code gets built, leading to major security gaps. Through frameworks like SLSA, Chainguard bakes robust integrity checks into the inner development loop.

While challenges remain, Chainguard's innovative approach represents meaningful progress. By easing developers' security burden, the company moves closer to the elusive goal of "provable software" – where users can trust that third-party code meets stringent standards before being integrated. As software permeates everything, securing the supply chain is imperative. Chainguard's automation solutions offer a simpler path forward.

Innovations like Sigstore and SLSA laid the groundwork to progress from theoretical supply chain security to pragmatic solutions ready for mainstream adoption. Chainguard is poised to drive this vision forward at scale, leveraging standards to make end-to-end software integrity a reality.

In summary, Chainguard gives IT teams a comprehensive toolkit to lock down software supply chains. Built-in security scanning illuminates risks, while hardened containers proactively eliminate vulnerabilities further up the lifecycle. The founders envision a future where security guides development leftward by default rather than being an afterthought.