Chainguard today launched a platform that ensures only trusted container images are run on Kubernetes clusters to ensure the integrity of a software supply chain.
Chainguard Enforce! is the first product from the company, which was founded by former Google employees with a long history of working on open source software security. Chainguard co-founder Kim Lewandowski says it was created to help CISOs gain control over container deployments that, in many instances, have become the security equivalent of the wild, wild west.
Company co-founder Dan Lorenc adds that Chainguard Enforce! enables IT and security teams to define, observe, distribute and enact policies that prevent unauthorized containers from being allowed to run within a DevOps workflow.
Chainguard Enforce! consists of a policy agent, build system integrations, continuous verification and an evidence lake that can be accessed via either a command-line interface (CLI) or user interface (UI). The read-only policy agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multiple clusters. It comes with a curated set of policy definitions based on the supply chain levels for software artifacts (SLSA) framework defined by Google and the Secure Software Development Framework (SSDF) defined by the National Institute of Standards and Technology (NIST) in the U.S.
It also provides integrations for continuous integration platforms such as GitHub Actions, CircleCI, BuildKite and GitLab to establish a record of the source code used to build each container. Continuous verification ensures that deployed container images stay in compliance with defined policies. Any deviations will trigger an alert that can be shared via alerting and ticketing platforms such as Slack and Jira.
Finally, the evidence lake provides access to a real-time asset inventory that provides visibility into the overall security posture of the Kubernetes application environment.
Chainguard is trying to enable IT and security teams to strike a balance between the flexibility that containers and DevOps workflows provide and the need for more secure software supply chains, which have become a much larger issue in the wake of a series of high-profile security breaches, says Lorenc.
The challenge with containers is that it is simply too easy for developers to inadvertently employ containers to encapsulate software components that have known vulnerabilities, adds Lewandowski. Chainguard Enforce! not only prevents those containers from running, it also makes it easier to identify which containers might include a zero-day vulnerability that might only have been discovered after a container is deployed, she adds.
It’s not clear to what extent organizations are now embracing best DevSecOps practices to ensure the security of Kubernetes application environments. Regardless of approach, the need to make sure only validated containers are allowed to run is becoming a major security issue. It’s not all that difficult for cybercriminals to make available a seemingly innocuous reusable container that is, in fact, infested with malware. The challenge is to implement the policies required to secure those environments without impeding the overall rate at which applications are being built and deployed.