HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dlor

no profile record

Submissions

OpenPubKey and Sigstore

blog.sigstore.dev
93 points·by dlor·3 lata temu·28 comments

The Tyranny of Nits

leafwing-studios.com
1 points·by dlor·3 lata temu·0 comments

CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem

darkreading.com
3 points·by dlor·3 lata temu·0 comments

CWE Top Most Dangerous Software Weaknesses

cwe.mitre.org
155 points·by dlor·3 lata temu·128 comments

The EU’s Product Liability Directive could kill open source

techradar.com
1 points·by dlor·3 lata temu·1 comments

Elastic Stack container images signed with Sigstore

elastic.co
1 points·by dlor·3 lata temu·0 comments

Shrink to Secure: Kubernetes and Secure Compact Containers

gsantoro.dev
3 points·by dlor·3 lata temu·0 comments

Supply chain security for Go, Part 2: Compromised dependencies

security.googleblog.com
2 points·by dlor·3 lata temu·0 comments

The Principle of Minimalism

chainguard.dev
9 points·by dlor·3 lata temu·0 comments

Fully bootstrapping Java from source in Wolfi

chainguard.dev
8 points·by dlor·3 lata temu·0 comments

Removing PGP from PyPI

blog.pypi.org
187 points·by dlor·3 lata temu·187 comments

Sigstore: Roots of Trust for Software Artifacts

infoworld.com
1 points·by dlor·3 lata temu·0 comments

He Untold Story of the Boldest Supply-Chain Hack Ever

wired.com
8 points·by dlor·3 lata temu·1 comments

Feeling VEXed by software supply chain security? Us, too

theregister.com
2 points·by dlor·3 lata temu·0 comments

87% of Container Images in Prod Have Critical or High-Severity Vulnerabilities

darkreading.com
3 points·by dlor·3 lata temu·1 comments

Towards Easier, More Secure Signature Tech for the Java Ecosystem with Sigstore

blog.sigstore.dev
1 points·by dlor·3 lata temu·0 comments

GitHub says hackers cloned code-signing certificates in breached repository

arstechnica.com
2 points·by dlor·3 lata temu·0 comments

Memory safety is the new black, fashionable and fit for any occasion

theregister.com
4 points·by dlor·3 lata temu·0 comments

Understanding the relationship between FOSS and the “software supply chain”

chainguard.dev
3 points·by dlor·3 lata temu·1 comments

Are SBOMs Good Enough for Government Work?

chainguard.dev
1 points·by dlor·3 lata temu·0 comments

comments

dlor
·3 miesiące temu·discuss
Enriching does a few things, but the main ones are adding CVSS information and CPE information.

CVSS (risk) is already well handled by other sources, but CPE (what software is affected) is kind of critical. I don't even know how they're going to focus enrichment on software the government uses without knowing what software the CVEs are in.
dlor
·3 miesiące temu·discuss
We're going to be launching Chainguard Libraries for Rust in a few weeks, this article perfectly calls out the issues.

crates are somewhat better designed than NPM/PyPI (the dist artifacts are source based), but still much worse than Go where there's an intermediate packaging step disconnected from the source of truth.
dlor
·4 miesiące temu·discuss
It's both. They got compromised by another supply chain attack on Trivy initially.
dlor
·7 miesięcy temu·discuss
Hey!

I work at Chainguard. We don't guarantee zero active exploits, but we do have a contractual SLA we offer around CVE scan results (those aren't quite the same thing unfortunately).

We do issue an advisory feed in a few versions that scanners integrate with. The traditional format we used (which is what most scanners supported at the time) didn't have a way to include pending information so we couldn't include it there.

The basic flow was: scanner finds CVE and alerts, we issue statement showing when and where we fixed it, the scanner understands that and doesn't show it in versions after that.

so there wasn't really a spot to put "this is present", that was the scanner's job. Not all scanners work that way though, and some just rely on our feed and don't do their own homework so it's hit or miss.

We do have another feed now that uses the newer OSV format, in that feed we have all the info around when we detect it, when we patch it, etc.

All this info is available publicly and shown in our console, many of them you can see here: https://github.com/wolfi-dev/advisories

You can take this example: https://github.com/wolfi-dev/advisories/blob/main/amass.advi... and see the timestamps for when we detected CVEs, in what version, and how long it took us to patch.
dlor
·2 lata temu·discuss
Really cool to see all the hard work on Trusted Publishing and Sigstore pay off here. As a reminder, these tools were never meant to prevent attacks like this, only to make them easier to detect, harder to hide, and easier to recover from.
dlor
·2 lata temu·discuss
This is awesome to see, and the result of many years of hard work from awesome people.
dlor
·2 lata temu·discuss
There's no defeating of scanners or even static linking. It's all automation, dynamic linking and patching to make the scanners happy. We go to great lengths to make sure that the scanners actually find everything so the results are accurate.
dlor
·2 lata temu·discuss
I can confirm our business is roughly 0 percent consulting and that it's 100% selling these hardened images.
dlor
·2 lata temu·discuss
The big ones that help are SBOMs, STIGs, FIPS, and CVE reduction. The images and the paperwork we provide make it so they can be dropped in to even the most regulated environments without toil.

Most of our customers use them for FedRAMP or IL 5/6 stuff out of the box.
dlor
·2 lata temu·discuss
The program details are here: https://docs.docker.com/trusted-content/dvp-program/
dlor
·2 lata temu·discuss
Yep, that's it - the product is hardened container images!
dlor
·2 lata temu·discuss
Great question! We take hardening of our build infrastructure very seriously, and helped build many of the OSS technologies in this space like the SLSA framework and the Sigstore project.

We produce SBOMs during the build process, and cryptographically sign SLSA-formatted provenance artifacts depicting the entire build process so you can trace a built container all the way back to the sources it was built from.

We also try to make as much of our build system reproducible as possible (but we're not all the way there yet), so you can audit or rebuild the process yourself.
dlor
·2 lata temu·discuss
Good callout, if you know how to use docker and and dockerhub then it's just as easy as `docker pull chainguard/node`
dlor
·2 lata temu·discuss
I work at Chainguard, happy to answer any questions!
dlor
·3 lata temu·discuss
Have you ever been on a boat? It's not safe to assume the existence of anything, including a toilet, on them.
dlor
·3 lata temu·discuss
Yep - a new version of image spec and distribution spec (not runtime spec).

This version allows for formalized ways to store other types of content in registries (think Helm Charts, OPA policies, etc.), as well as a way to "attach" arbitrary content to registries and then retrieve it later.

Both of these are powerful and will have lots of use cases, but the primary ones at this point are focused on supply chain security - storing content like SBOMs, digital signatures and attestations.
dlor
·3 lata temu·discuss
Personally? I've done quite a bit here although there's always more. I worked at Google to fund Rust development internally and externally, helped sponsor the work that eventually led to getting Rust adopted in the Linux kernel, and now run a company that's building a new Linux distribution that prioritizes shipping code written in memory safe languages.

https://security.googleblog.com/2021/02/mitigating-memory-sa...

https://www.chainguard.dev/unchained/building-the-first-memo...
dlor
·3 lata temu·discuss
SQL injection and XSS are typically solved at a library/framework level instead of a programming language one, although type systems can help make those frameworks usable and work well.

Either way, they're effectively "solved" from a programmer's perspective if you're willing to adopt modern frameworks instead of string-concatenating HTML or SQL manually.
dlor
·3 lata temu·discuss
It's somewhat disheartening as a software developer focused on security that the top four elements are still:

* Out-of-bounds Write

* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

* Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

* Use After Free
dlor
·3 lata temu·discuss
We're trying to fix this problem at Chainguard. We have our own Linux distro that packages modern versions of software (like minutes or hours after it's released), as well as older versions.

We're also working on FIPS 140-2 and 3, and support pretty much every compliance framework we can find.