TL;DR: Open source software comprises 90% of all the software we depend on, so securing and investing in open source is key to making the software supply chain secure by default. Chainguard is heavily involved in various branches of open source software security.
There are so many things happening, it’s hard to summarize in a small paragraph. We made this post scannable, so you can quickly jump to your favorite open source project and get the latest updates.
The three following Chainguardians are leading the way on various committees and boards:
Our Chainguardians gave five talks at CloudNativeSecurityCon in Seattle, Feb 1 – 2. All the recordings are available via the following links:
Eddie Zaneski, and co-speaker Leigh Capili, hosted a workshop on GitOps - Collaborating at Organizational Scale at the SCaLE 20x event, the 20th Annual Southern California Linux Expo on March 9 in Pasadena.
We have a new Chainguardian on our team, Erin Rose Glass—a researcher and educator who strives for software freedom. She recently gave a keynote talk about the topic at Libre Planet, March 18 – 19, in Boston.
Software Bill of Materials (SBOM) is the fundamental building block for supply chain security. We want to make SBOMs useful and ubiquitous. In February, Adolfo García Veytia helped host the SBOM Devroom at FOSDEM. There were lots of amazing talks on real-world SBOM usage. Watch Adolfo’s talk: The 7 key ingredients of a great SBOM.
SBOMs are even more powerful when we combine them with better vulnerability data. At the end of January, we announced that we wanted to accelerate Vulnerability Exploitability eXchange (VEX) adoption through the OpenVEX specification. Adolfo "Puerco" Vetyia presented OpenVEX to the VEX Working Group hosted by CISA. Dan Lorenc presented how OpenVEX addresses CVE false positives at a recent meeting of the OpenSSF Vulnerability Management group.
If you are just getting started with SBOMs and OpenVEX, we’ve added great new SBOM and OpenVex content to Chainguard Academy.
Chainguard Labs continues to train the spotlight on the SBOM quality problem. The OpenSSF published a blog post by John Speed Meyers with a summary of the research to date: How to Make High-Quality SBOMs.
Wolfi is a secure container “un-distribution” that enables us to build secure by default base images. Secure base images are images that are signed, include reliable build-time SBOMs, and target zero-known CVEs. Jason Hall gave a great talk on how Wolfi achieves this at the latest Wolfi community call.
One of the key technologies powering Wolfi is apko, and apko just celebrated its 1st birthday🎉! If you want to stay up to date on Wolf/apko, you can watch or join the community calls.
Sigstore’s Cosign 2.0 was released in February. Our favorite part of the release is not having to set the COSIGN_EXPERIMENTAL flag anymore! 🚩 Driving this initiative were many great folks across the community, including Chainguardians Priya Wadhwa, Zachary Newman, and Hector Fernandez.
There are many Sigstore talks given by the community, here’s the latest from FOSDEM by James Strong and Lewis Denham-Parry: What Does Rugby Have To Do With Sigstore?
Join the next Sigstore Community Call on March 21 (more details) or watch the latest Sigstore community call.
In February, the SLSA v1.0 Release Candidate was announced, you can submit feedback by reporting an issue before March 24, 2023. We also conducted a SLSA Git Audit and published our findings in a report earlier this month.
In 2022, we conducted a software supply chain security survey with three open source foundations—the Eclipse Foundation, the Rust Foundation, and the Open Source Security Foundation (OpenSSF), and we published the results last week:
New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
If you’re interested in learning more about the findings or how to implement the SLSA framework, join the virtual discussion on March 22, 2023, from 11 AM-12 PM ET. Register and join here.
Open Source Hot Topics 🔥
Open source is constantly evolving and addressing challenges. Eddie Zaneski was featured in this article on “How to ensure open source longevity” pointing out that companies benefitting from using open source technologies should also be committing time back to those projects. We at Chainguard aim to practice what we preach including being one of the top contributors to Kubernetes, regularly helping releases make it out the door.
As we also help drive for clarity on the relationship between open source and securing the software supply chain, Ariadne Conill wrote this topical blog post: Understanding the relationship between FOSS and the “software supply chain”. In the post, Ariadne highlights how FOSS maintainers are not and should not be considered software suppliers.
Ariadne goes on to say, “But to agree that FOSS maintainers are not suppliers does mean that consumers are wrong to ask for FOSS that can be trusted. It’s just that software distributions, not maintainers themselves, ought to be the ‘supplier,’ the party that’s held responsible.”
To truly make the supply chain secure by default we have to take into account the complex sociotechnical systems at play. Ariadne’s post is recommended reading for anyone working in this space.
Meet the Chainguardians at KubeCon + CloudNativeCon Europe, April 18 – 21 in Amsterdam.
Wednesday, April 19
Thursday, April 20
Friday, April 21
Learn how to make your supply chain secure by default at Chainguard Academy — a free and extensive supply chain security resource!