Across every customer conversation I have had with global enterprises, there are a few key themes.
a. Developer experience.
b. The value of disrupting the status quo.
c. Contribution to the sphere of software best practices.
d. Trust.
Trust. Trust. Trust. It's paramount to our relationships, and it's the best case scenario. We trust you because of your track record. We trust you because you are credible. We trust you because we transact our dollars for your backing.
Then there is the concept of Zero Trust, or rather Never Trust, Always Verify. The way to build trust is to evaluate how risk is managed and incidents are handled. Since bad things happen... how many calories do you put in to preventing them from occurring?
I would say that blind trust in any tool has not yet been achieved in our digital landscape, and probably should not ever occur. Rather, there is a type of pseudo-trust that we all currently work towards. The "shift left" movement for security by pushing scanning and exploitation analysis back further into the SDLC does one thing very well -- it provides transparency and notification. By analyzing potential risk through documented insecure practices in your code, or CVEs in your dependencies as early as possible, you can spend time upfront preventing the truly costly issue we are all afraid of: exploit.
So, we increase our transparency of our software. We generate build-time (or cook-time) SBOMs to document the recipe for the dishes we serve our customers. We scan code, we run attack simulations with dynamic analysis, and we do everything we can early and often in our IDEs and our staging environments. We also control how code is introduced with 2 approvers on a PR, blocked commits, and more. And we do our best to enforce it all.
There is one missing piece of the puzzle here, and it's securing the supply chain. And by one piece, I mean a million smaller pieces comprising a puzzle we are still building and understanding. How do we handle the puzzle pieces that are crafted by people all over the world, all held to different standards and practices, not defined by you or your organization, within the open source stratosphere?
Authenticity and integrity. Those concepts help us establish trust. Again, zero trust, but verify, allows us to cautiously proceed with the truth. They allow us to consider: did this dish, that I have a recipe for and is at my table now, come from the restaurant I am sitting at?
This is where I pivot to pushing for checking not just your own homework, but the homework of all the pieces comprising the larger picture. Tools like cosign allow for keyless cryptographic signing of files tied to an identity. Identity is paramount here. It's one thing to know your dish is from a restaurant. But it's another one to be able to verify it's from Olive Garden. By knowing Olive Garden, you can check if the dish is from there, and decline it if not (perhaps you only want free bread if it's a delicious breadstick).
I urge you to verify if your base container images are not just signed, since anyone can authenticate and sign an image, but that they are signed by a source you trust.
Now, what is a trusted source? Today it may look more like a denylist than an allowlist, i.e. these sources are vetted by me and my team, and aren't publishable by an anonymous actor on the public internet. One day, as signatures become the standard, it could function as an allowlist. But for now, we should operate from a place of scrutiny, until cryptographic signatures become the norm.
To make this easier, I provide an example of how to verify base images in multi-stage Dockerfiles against trusted providers. Did this image get signed by xyz provider? If yes, pass. If not, fail.
As OCI image signatures become more of a reality than a best practice, I want to expand this to look deeper into the Dockerfiles of Dockerfiles, and analyze not just the immediate base image of a Dockerfile for a signature, but the base image of that base image and so on. The key thing to remember is that you have a software supply CHAIN, and you must look beyond the most immediate contiguous link.
tldr; we have pseudo-trust, we should always operate from zero trust, sign your images, know who to check for a signature from, consume responsibly, tread optimistically.
Try it out! Here's Integrity-Check on GitHub: https://github.com/cupofpython/integrity-check
Top comments (0)