Alex - stock.adobe.com

Software supply chain security tools take on toil for users

Recent updates from software supply chain security vendors simply take over vulnerability management on behalf of IT orgs, rather than provide facilitating tools.

A fresh crop of software supply chain security tools has focused on eliminating vulnerabilities at their source rather than on detection and patching after they're deployed, as enterprises seek a more pragmatic alternative to remediation.

Hardened container images, for example, strip out common components that applications might not need, which are typically shipped with standard open source packages and can carry vulnerabilities.

Docker Inc. introduced its own Hardened Images this month, a set of curated application containers from partners including Microsoft, NGINX, Sonatype, GitLab, Wiz, Grype, Neo4j, JFrog, Sysdig and Cloudsmith. Multiple updates over the last three months from Chainguard, which established the market for hardened images, expanded on the concept to cover further aspects of enterprise infrastructure with hardened VMs. Chainguard also introduced hardened language libraries, applications and individual container image layers that are faster and easier to deploy.

Katie Norton, analyst, IDCKatie Norton

Cloudsmith, a Docker and Chainguard partner, is focused on an adjacent area in software supply chain security. It serves as a secure artifact repository that competes with vendors such as JFrog and Sonatype. But it also beefed up its container security tools in April with features that can prevent vulnerable containers from running in production, including pre-deployment scans and image signing.

"Rather than relying solely on the detection and remediation of vulnerabilities, enterprises are increasingly investing in preventive strategies," Katie Norton, an analyst at IDC, stated in a May report on hardened images.

Hardening images easier said than done

Hardening container images and open source libraries, with their many interconnected dependencies, is a complex undertaking, especially consistently over the course of frequent upstream changes. Hence, vendors including Chainguard, Docker, Cloudsmith, Wiz, Lineaje and others are shouldering the burden, providing hardened images, libraries and artifact repositories as a service rather than tools for end users to harden images themselves.

The SBOM part would be really nice down the road, but for now, it's mostly a question of living up to our compliance certifications, and, of course, being secure.
Carsten Skov Senior DevOps engineer, MAN Energy

Other advanced practices in software supply chain security, from analyzing software bills of materials (SBOMs) to provenance attestation and digital signing, remain aspirational for many enterprises. But eliminating the toil associated with repeatedly hardening and remediating vulnerabilities in common open source components offers clear, quick ROI at companies such as MAN Energy Solutions SE, a German manufacturer of large diesel engines. MAN Energy uses Chainguard containers and plans to consider adding its Python libraries, introduced this month in early access.

"Our main focus here is to try and make it as easy for developers to follow best practices as we can," said Carsten Skov, senior DevOps engineer at MAN Energy. "All the software we do is internal -- we don't ship it off, we have SaaS. So the SBOM part would be really nice down the road, but for now, it's mostly a question of living up to our compliance certifications, and, of course, being secure."

MAN Energy's regulatory compliance dictates a tight schedule for remediating critical and high-severity CVEs within three days and seven days, respectively. About 18 months ago, Skov began looking for a way to bypass the continual vulnerability remediation work developers were doing, which is when he found Chainguard images. So far, he estimates the company has saved at least one or two developers' worth of work each month by eliminating this labor.

Skov said hardened Python libraries could help keep up to date with changes to upstream components used in data science applications, which tend to be updated more frequently than their base container images.

"We have hundreds of analytics services, each service is a container, and if there is a general vulnerability in the desktop Python image, we have to rebuild the whole thing and change all the analytics services," Skov said. "While we can do a lot of it with automation, it's still a huge effort."

Ounce of prevention: Cloudsmith hosts secure artifacts

Cloudsmith takes a different, artifact-based approach to software supply chain security, but there are features of its platform that could serve as alternatives to hardened images in blocking upstream vulnerabilities from reaching production, Norton said in a March 27 report.

"Tools from Sonatype, JFrog, and Cloudsmith focus on policy enforcement, dependency firewalls and artifact lifecycle management to control how open source is consumed," according to that report. "Veracode is likely to deliver a product in this space via its acquisition of Phylum."

Cloudsmith also emphasizes artifact management as a service rather than as a DIY project, intending to be "The GitHub for binaries," according to its CEO, Glenn Weinstein, in an interview with Informa TechTarget in February. "The same way Artifactory is, the same way Nexus is. We just think we do it better, and then it provides a platform on top of which you can deliver advanced software supply chain security."

Eventually, Cloudsmith's goal is not to secure the supply chain but to replace it for all its customers' upstream artifacts, Weinstein said. It hosts these artifacts in 600 points of presence globally and caches them locally for quick delivery.

"The idea of individual public registries running on their own infrastructure is an antiquated notion," Weinstein said. "For example, PyPI is run by the Python Foundation on their own infrastructure, separate from what Microsoft [GitHub] is doing to host npmjs, which is separate from Sonatype hosting Maven Central. They're all scattered all around the world. Eventually, they're all going to come to Cloudsmith, or a platform like ours."

One Cloudsmith customer, Minneapolis-based financial services company Thrivent, hasn't quite reached that state of global centralization on the SaaS platform. It does, however, welcome the opportunity to offload artifact management for cloud native apps with it, according to Jason Walker, vice president and engineer at the company.

"Moving away from an on-premises tool had a couple of specific benefits," Walker wrote in an email to Informa TechTarget in early May. "We could address stability issues that were causing interruptions in software delivery and reduce engineering effort for upgrades, especially with more software delivery patterns emerging around cloud-native applications."

Migrating to SaaS has had its challenges, Walker said, such as maintaining internet connectivity, but Cloudsmith has provided an easy onboarding path that software delivery teams can consume "in small bites," and reduces administrative overhead for managing artifacts in multiple languages.

"We're not looking at how we can replace every distribution of an artifact with Cloudsmith today -- for example, changing how we deliver Linux packages for operating system/image management is a future discussion," he added. "To digitally sign and authenticate artifacts … we want to incorporate an open standard that is gaining traction, like Cosign, and [further] reduce the onboarding effort for our engineers."

Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on IT systems management and monitoring