- In the wake of alarming incidents such as Russia’s massive 2017 NotPetya malware attack and the Kremlin’s 2020 SolarWinds cyberespionage campaign, both pulled off by poisoning wells for software distribution, organizations around the world have been scrambling to get a handle on software supply chain security.
- In general, and especially for open-source software, the stronger defense rests in knowing what software is being run, with a crucial focus on enumerating all the little pieces that make up the whole and validating that they are what they should be.
Creating a system to generate a manifest of what is inside every box in every basement and garage is a massive effort. Still, a novel Linux tool from security firm Chainguard aims to do just that for the software “containers” that currently underlie almost all digital services.
Chainguard launched a Linux tool known as Wolfi, designed particularly for how digital systems are built now in the cloud. Most consumers don’t use Linux, the famed open-source operating system, on their personal computers. But the open-source operating system is widely used in servers and cloud infrastructure worldwide, partly because it can be deployed flexibly.
Unlike operating systems from Microsoft and Apple, where the only choice is whatever ice cream flavor they release, the open nature of Linux allows developers to create all sorts of flavors, known as “distributions,” to suit specific cravings and needs. But the developers at Chainguard, who have all worked in open source software for years, including on other Linux distributions, felt that a key flavor was missing.
Chainguard principal engineer Ariadne Conill says they have built a distribution that will work well for enterprises looking to address supply chain security seriously. Different distributions have various pieces of software that include curated collections. It is a huge advantage for software developers to get their stuff right.
The new Linux tool, Wolfi, is designed to work smoothly with other tools from Chainguard that help developers build out and add to the software in their container securely.
The stakes are high in software supply chain security, specifically in open-source environments with fewer resources to invest in improvements, and governments have started taking the problem seriously.
In May 2021, the Biden administration issued an executive order that addressed software supply chain security imperatives. And last week, the White House announced that the US Office of Management and Budget had issued specific supply chain security guidance to federal agencies.
For more updates on cyber security, click here.