OSS security: Chainguard May 2023 update
TL;DR: It’s event season and our Chainguardians are speaking all over the northern hemisphere! Here are the latest updates on what we’ve been involved in when it comes to open source software security.
Community Leadership
Chainguard’s co-founder Dan Lorenc has been re-elected to OpenSSF’s Technical Advisory Council (TAC)
Adolfo García Veytia @Puerco is a new CNCF Ambassador
Looking forward to serving another year on the @theopenssf TAC! Thanks to everyone for your support.
— Dan Lorenc (@lorenc_dan) April 4, 2023
Events
Our Chainguardians gave many talks since our last update post.
Mar 21-23: Montreal, Ottawa & Toronto Kubernetes Meetup, Wolfi - Adolfo García Veytia, Patrick Flynn & Tracy Miranda
Mar 22: InfoSys SBOM debate (virtual) - Tracy Miranda
Mar 22: Chainguard SLSA webinar - John Speed Meyers
April 7: Resilient Cyber: SBOMs & Software Supply Chain - John Speed Meyers joined Chris Hughes to talk SBOMs and more
KubeCon + CloudNativeCon EU - April 18 - 21 in Amsterdam
Filling the Gaps in Kubernetes Flavored SLSA with Threat Modeling — Christie Wilson, Google and Priya Wadhwa, Chainguard
No Fear, Falco Is Looking After Us! — Jason Dellaluce and Luca Guerra, Sysdig; Melissa Kilby, Apple; Carlos Panato, Chainguard; Hendrik Brueckner, IBM
Life of a CVE with Ingress-Nginx; Understanding the Project's Release Cycle — James Strong, Chainguard and Dylen Turnbull, Nginx INC
Secure Your Project with the SIG Release Supply Chain Kit — Adolfo García Veytia and Carlos Panato, Chainguard
Kubernetes SIG CLI: Intro and Updates — Eddie Zaneski, Chainguard; Katrina Verey, Shopify; Maciej Szulik, Red Hat
May 5: Building a Secure Supply Chain with Containers @ #WTFisSRE, London - Adrian Mouat
All the talks are available on this playlist on the CNCF YouTube Channel.
May 8 – 12: Open Source Summit North America, OpenSSF Day, cdCon + GitOpsCon, and SPDX 3.0 Tooling Mini Summit (Videos will be available soon).
Kubernetes
Congratulations to the Kubernetes project on its 1.27 release. This release had some unique challenges with the big shift to the Kubernetes registry and we were glad to be working with the rest of the community to help make it happen. Shout out to our guardians Adolfo García Veytia, Eddie Zaneski and Carlos Panato for your work here.
SLSA
SLSA 1.0 was announced at KubeCon + CloudNativeCon in Amsterdam in April.
“The evolution of SLSA since our original proof of concept in 2021 has been remarkable, positioning it as one of the most accessible frameworks for implementing software supply chain security practices today. The release of SLSA v1.0 represents a significant step forward in building trust between software consumers and producers, as it provides a well-established framework that outlines how software is protected and developed based on software supply chain security principles. At Chainguard, we are invested in advancing SLSA as a critical industry standard while adhering to its core principles to ensure the integrity of our offerings and the open-source community projects we maintain. We support the OpenSSF’s ongoing efforts to further develop SLSA, enabling more organizations and community projects to achieve their security objectives.” – Kim Lewandowski, Head of Product and Co-Founder, Chainguard
For more from the SLSA community on the news, read the OpenSSF announcement.
OpenVEX
The kickoff community meeting for OpenVEX as a new SIG under the OpenSSF vulnerability working group happened on April 3. Watch the recording.
If you’re interested in OpenVEX, sign up for the mailing list and join the project’s community meetings happening every other Monday. Check the OpenSSF calendar for the full details.
Wolfi/apko
Wolfi is being extremely well received by the ecosystem for its unique capabilities that help rid longstanding CVEs in base images.
In the past month, Wolfi went on a 3-city Canadian roadshow thanks to Adolfo García Veytia with help from Patrick Flynn (Chainguard), Tracy Miranda (Chainguard) and Kelsey Hightower (Google Cloud).
Now @patricknflynn is going into a @wolfi_os deepdive pic.twitter.com/vaOwrRndC5
— Tracy Miranda (@tracymiranda) March 21, 2023
Wolfi Resources:
A new Wolfi for Python tutorial is live
Insights from the latest Wolfi community call
Follow @wolfi_os on Twitter 🐦
Sigstore
Chainguard contributed the Rekor search project to Sigstore at the end of March 2023. To help users unlock the security benefits of the Sigstore policy-controller, Chainguard also open sourced a new policy catalog that is compatible with the Sigstore policy-controller and can be adopted incrementally to improve the security of your software supply chain.
Last month, npm announced the public beta of end-to-end signing of npm packages using Sigstore. Read Tracy Miranda’s blog post: Making Javascript secure by default.
Read the most recent Chainguard blog posts on Sigstore:
by Eddie Zaneski
Sigstore policy-controller 101
by Ville Aikas and Erin Glass
by Ville Aikas and Erin Glass
Want more?
Check out the new Chainguard website and our open source page.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.