HackerTrans
トップ新着トレンドコメント過去質問紹介求人

dlor

no profile record

投稿

OpenPubKey and Sigstore

blog.sigstore.dev
93 ポイント·投稿者 dlor·3 年前·28 コメント

The Tyranny of Nits

leafwing-studios.com
1 ポイント·投稿者 dlor·3 年前·0 コメント

CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem

darkreading.com
3 ポイント·投稿者 dlor·3 年前·0 コメント

CWE Top Most Dangerous Software Weaknesses

cwe.mitre.org
155 ポイント·投稿者 dlor·3 年前·128 コメント

The EU’s Product Liability Directive could kill open source

techradar.com
1 ポイント·投稿者 dlor·3 年前·1 コメント

Elastic Stack container images signed with Sigstore

elastic.co
1 ポイント·投稿者 dlor·3 年前·0 コメント

Shrink to Secure: Kubernetes and Secure Compact Containers

gsantoro.dev
3 ポイント·投稿者 dlor·3 年前·0 コメント

Supply chain security for Go, Part 2: Compromised dependencies

security.googleblog.com
2 ポイント·投稿者 dlor·3 年前·0 コメント

The Principle of Minimalism

chainguard.dev
9 ポイント·投稿者 dlor·3 年前·0 コメント

Fully bootstrapping Java from source in Wolfi

chainguard.dev
8 ポイント·投稿者 dlor·3 年前·0 コメント

Removing PGP from PyPI

blog.pypi.org
187 ポイント·投稿者 dlor·3 年前·187 コメント

Sigstore: Roots of Trust for Software Artifacts

infoworld.com
1 ポイント·投稿者 dlor·3 年前·0 コメント

He Untold Story of the Boldest Supply-Chain Hack Ever

wired.com
8 ポイント·投稿者 dlor·3 年前·1 コメント

Feeling VEXed by software supply chain security? Us, too

theregister.com
2 ポイント·投稿者 dlor·3 年前·0 コメント

87% of Container Images in Prod Have Critical or High-Severity Vulnerabilities

darkreading.com
3 ポイント·投稿者 dlor·3 年前·1 コメント

Towards Easier, More Secure Signature Tech for the Java Ecosystem with Sigstore

blog.sigstore.dev
1 ポイント·投稿者 dlor·3 年前·0 コメント

GitHub says hackers cloned code-signing certificates in breached repository

arstechnica.com
2 ポイント·投稿者 dlor·3 年前·0 コメント

Memory safety is the new black, fashionable and fit for any occasion

theregister.com
4 ポイント·投稿者 dlor·3 年前·0 コメント

Understanding the relationship between FOSS and the “software supply chain”

chainguard.dev
3 ポイント·投稿者 dlor·3 年前·1 コメント

Are SBOMs Good Enough for Government Work?

chainguard.dev
1 ポイント·投稿者 dlor·3 年前·0 コメント

コメント

dlor
·3 か月前·議論
Enriching does a few things, but the main ones are adding CVSS information and CPE information.

CVSS (risk) is already well handled by other sources, but CPE (what software is affected) is kind of critical. I don't even know how they're going to focus enrichment on software the government uses without knowing what software the CVEs are in.
dlor
·3 か月前·議論
We're going to be launching Chainguard Libraries for Rust in a few weeks, this article perfectly calls out the issues.

crates are somewhat better designed than NPM/PyPI (the dist artifacts are source based), but still much worse than Go where there's an intermediate packaging step disconnected from the source of truth.
dlor
·4 か月前·議論
It's both. They got compromised by another supply chain attack on Trivy initially.
dlor
·7 か月前·議論
Hey!

I work at Chainguard. We don't guarantee zero active exploits, but we do have a contractual SLA we offer around CVE scan results (those aren't quite the same thing unfortunately).

We do issue an advisory feed in a few versions that scanners integrate with. The traditional format we used (which is what most scanners supported at the time) didn't have a way to include pending information so we couldn't include it there.

The basic flow was: scanner finds CVE and alerts, we issue statement showing when and where we fixed it, the scanner understands that and doesn't show it in versions after that.

so there wasn't really a spot to put "this is present", that was the scanner's job. Not all scanners work that way though, and some just rely on our feed and don't do their own homework so it's hit or miss.

We do have another feed now that uses the newer OSV format, in that feed we have all the info around when we detect it, when we patch it, etc.

All this info is available publicly and shown in our console, many of them you can see here: https://github.com/wolfi-dev/advisories

You can take this example: https://github.com/wolfi-dev/advisories/blob/main/amass.advi... and see the timestamps for when we detected CVEs, in what version, and how long it took us to patch.
dlor
·2 年前·議論
Really cool to see all the hard work on Trusted Publishing and Sigstore pay off here. As a reminder, these tools were never meant to prevent attacks like this, only to make them easier to detect, harder to hide, and easier to recover from.
dlor
·2 年前·議論
This is awesome to see, and the result of many years of hard work from awesome people.
dlor
·2 年前·議論
There's no defeating of scanners or even static linking. It's all automation, dynamic linking and patching to make the scanners happy. We go to great lengths to make sure that the scanners actually find everything so the results are accurate.
dlor
·2 年前·議論
I can confirm our business is roughly 0 percent consulting and that it's 100% selling these hardened images.
dlor
·2 年前·議論
The big ones that help are SBOMs, STIGs, FIPS, and CVE reduction. The images and the paperwork we provide make it so they can be dropped in to even the most regulated environments without toil.

Most of our customers use them for FedRAMP or IL 5/6 stuff out of the box.
dlor
·2 年前·議論
The program details are here: https://docs.docker.com/trusted-content/dvp-program/
dlor
·2 年前·議論
Yep, that's it - the product is hardened container images!
dlor
·2 年前·議論
Great question! We take hardening of our build infrastructure very seriously, and helped build many of the OSS technologies in this space like the SLSA framework and the Sigstore project.

We produce SBOMs during the build process, and cryptographically sign SLSA-formatted provenance artifacts depicting the entire build process so you can trace a built container all the way back to the sources it was built from.

We also try to make as much of our build system reproducible as possible (but we're not all the way there yet), so you can audit or rebuild the process yourself.
dlor
·2 年前·議論
Good callout, if you know how to use docker and and dockerhub then it's just as easy as `docker pull chainguard/node`
dlor
·2 年前·議論
I work at Chainguard, happy to answer any questions!
dlor
·3 年前·議論
Have you ever been on a boat? It's not safe to assume the existence of anything, including a toilet, on them.
dlor
·3 年前·議論
Yep - a new version of image spec and distribution spec (not runtime spec).

This version allows for formalized ways to store other types of content in registries (think Helm Charts, OPA policies, etc.), as well as a way to "attach" arbitrary content to registries and then retrieve it later.

Both of these are powerful and will have lots of use cases, but the primary ones at this point are focused on supply chain security - storing content like SBOMs, digital signatures and attestations.
dlor
·3 年前·議論
Personally? I've done quite a bit here although there's always more. I worked at Google to fund Rust development internally and externally, helped sponsor the work that eventually led to getting Rust adopted in the Linux kernel, and now run a company that's building a new Linux distribution that prioritizes shipping code written in memory safe languages.

https://security.googleblog.com/2021/02/mitigating-memory-sa...

https://www.chainguard.dev/unchained/building-the-first-memo...
dlor
·3 年前·議論
SQL injection and XSS are typically solved at a library/framework level instead of a programming language one, although type systems can help make those frameworks usable and work well.

Either way, they're effectively "solved" from a programmer's perspective if you're willing to adopt modern frameworks instead of string-concatenating HTML or SQL manually.
dlor
·3 年前·議論
It's somewhat disheartening as a software developer focused on security that the top four elements are still:

* Out-of-bounds Write

* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

* Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

* Use After Free
dlor
·3 年前·議論
We're trying to fix this problem at Chainguard. We have our own Linux distro that packages modern versions of software (like minutes or hours after it's released), as well as older versions.

We're also working on FIPS 140-2 and 3, and support pretty much every compliance framework we can find.