HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dlor

no profile record

Submissions

OpenPubKey and Sigstore

blog.sigstore.dev
93 points·by dlor·3 ปีที่แล้ว·28 comments

The Tyranny of Nits

leafwing-studios.com
1 points·by dlor·3 ปีที่แล้ว·0 comments

CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem

darkreading.com
3 points·by dlor·3 ปีที่แล้ว·0 comments

CWE Top Most Dangerous Software Weaknesses

cwe.mitre.org
155 points·by dlor·3 ปีที่แล้ว·128 comments

The EU’s Product Liability Directive could kill open source

techradar.com
1 points·by dlor·3 ปีที่แล้ว·1 comments

Elastic Stack container images signed with Sigstore

elastic.co
1 points·by dlor·3 ปีที่แล้ว·0 comments

Shrink to Secure: Kubernetes and Secure Compact Containers

gsantoro.dev
3 points·by dlor·3 ปีที่แล้ว·0 comments

Supply chain security for Go, Part 2: Compromised dependencies

security.googleblog.com
2 points·by dlor·3 ปีที่แล้ว·0 comments

The Principle of Minimalism

chainguard.dev
9 points·by dlor·3 ปีที่แล้ว·0 comments

Fully bootstrapping Java from source in Wolfi

chainguard.dev
8 points·by dlor·3 ปีที่แล้ว·0 comments

Removing PGP from PyPI

blog.pypi.org
187 points·by dlor·3 ปีที่แล้ว·187 comments

Sigstore: Roots of Trust for Software Artifacts

infoworld.com
1 points·by dlor·3 ปีที่แล้ว·0 comments

He Untold Story of the Boldest Supply-Chain Hack Ever

wired.com
8 points·by dlor·3 ปีที่แล้ว·1 comments

Feeling VEXed by software supply chain security? Us, too

theregister.com
2 points·by dlor·3 ปีที่แล้ว·0 comments

87% of Container Images in Prod Have Critical or High-Severity Vulnerabilities

darkreading.com
3 points·by dlor·3 ปีที่แล้ว·1 comments

Towards Easier, More Secure Signature Tech for the Java Ecosystem with Sigstore

blog.sigstore.dev
1 points·by dlor·3 ปีที่แล้ว·0 comments

GitHub says hackers cloned code-signing certificates in breached repository

arstechnica.com
2 points·by dlor·3 ปีที่แล้ว·0 comments

Memory safety is the new black, fashionable and fit for any occasion

theregister.com
4 points·by dlor·3 ปีที่แล้ว·0 comments

Understanding the relationship between FOSS and the “software supply chain”

chainguard.dev
3 points·by dlor·3 ปีที่แล้ว·1 comments

Are SBOMs Good Enough for Government Work?

chainguard.dev
1 points·by dlor·3 ปีที่แล้ว·0 comments

comments

dlor
·3 เดือนที่ผ่านมา·discuss
Enriching does a few things, but the main ones are adding CVSS information and CPE information.

CVSS (risk) is already well handled by other sources, but CPE (what software is affected) is kind of critical. I don't even know how they're going to focus enrichment on software the government uses without knowing what software the CVEs are in.
dlor
·3 เดือนที่ผ่านมา·discuss
We're going to be launching Chainguard Libraries for Rust in a few weeks, this article perfectly calls out the issues.

crates are somewhat better designed than NPM/PyPI (the dist artifacts are source based), but still much worse than Go where there's an intermediate packaging step disconnected from the source of truth.
dlor
·4 เดือนที่ผ่านมา·discuss
It's both. They got compromised by another supply chain attack on Trivy initially.
dlor
·7 เดือนที่ผ่านมา·discuss
Hey!

I work at Chainguard. We don't guarantee zero active exploits, but we do have a contractual SLA we offer around CVE scan results (those aren't quite the same thing unfortunately).

We do issue an advisory feed in a few versions that scanners integrate with. The traditional format we used (which is what most scanners supported at the time) didn't have a way to include pending information so we couldn't include it there.

The basic flow was: scanner finds CVE and alerts, we issue statement showing when and where we fixed it, the scanner understands that and doesn't show it in versions after that.

so there wasn't really a spot to put "this is present", that was the scanner's job. Not all scanners work that way though, and some just rely on our feed and don't do their own homework so it's hit or miss.

We do have another feed now that uses the newer OSV format, in that feed we have all the info around when we detect it, when we patch it, etc.

All this info is available publicly and shown in our console, many of them you can see here: https://github.com/wolfi-dev/advisories

You can take this example: https://github.com/wolfi-dev/advisories/blob/main/amass.advi... and see the timestamps for when we detected CVEs, in what version, and how long it took us to patch.
dlor
·2 ปีที่แล้ว·discuss
Really cool to see all the hard work on Trusted Publishing and Sigstore pay off here. As a reminder, these tools were never meant to prevent attacks like this, only to make them easier to detect, harder to hide, and easier to recover from.
dlor
·2 ปีที่แล้ว·discuss
This is awesome to see, and the result of many years of hard work from awesome people.
dlor
·2 ปีที่แล้ว·discuss
There's no defeating of scanners or even static linking. It's all automation, dynamic linking and patching to make the scanners happy. We go to great lengths to make sure that the scanners actually find everything so the results are accurate.
dlor
·2 ปีที่แล้ว·discuss
I can confirm our business is roughly 0 percent consulting and that it's 100% selling these hardened images.
dlor
·2 ปีที่แล้ว·discuss
The big ones that help are SBOMs, STIGs, FIPS, and CVE reduction. The images and the paperwork we provide make it so they can be dropped in to even the most regulated environments without toil.

Most of our customers use them for FedRAMP or IL 5/6 stuff out of the box.
dlor
·2 ปีที่แล้ว·discuss
The program details are here: https://docs.docker.com/trusted-content/dvp-program/
dlor
·2 ปีที่แล้ว·discuss
Yep, that's it - the product is hardened container images!
dlor
·2 ปีที่แล้ว·discuss
Great question! We take hardening of our build infrastructure very seriously, and helped build many of the OSS technologies in this space like the SLSA framework and the Sigstore project.

We produce SBOMs during the build process, and cryptographically sign SLSA-formatted provenance artifacts depicting the entire build process so you can trace a built container all the way back to the sources it was built from.

We also try to make as much of our build system reproducible as possible (but we're not all the way there yet), so you can audit or rebuild the process yourself.
dlor
·2 ปีที่แล้ว·discuss
Good callout, if you know how to use docker and and dockerhub then it's just as easy as `docker pull chainguard/node`
dlor
·2 ปีที่แล้ว·discuss
I work at Chainguard, happy to answer any questions!
dlor
·3 ปีที่แล้ว·discuss
Have you ever been on a boat? It's not safe to assume the existence of anything, including a toilet, on them.
dlor
·3 ปีที่แล้ว·discuss
Yep - a new version of image spec and distribution spec (not runtime spec).

This version allows for formalized ways to store other types of content in registries (think Helm Charts, OPA policies, etc.), as well as a way to "attach" arbitrary content to registries and then retrieve it later.

Both of these are powerful and will have lots of use cases, but the primary ones at this point are focused on supply chain security - storing content like SBOMs, digital signatures and attestations.
dlor
·3 ปีที่แล้ว·discuss
Personally? I've done quite a bit here although there's always more. I worked at Google to fund Rust development internally and externally, helped sponsor the work that eventually led to getting Rust adopted in the Linux kernel, and now run a company that's building a new Linux distribution that prioritizes shipping code written in memory safe languages.

https://security.googleblog.com/2021/02/mitigating-memory-sa...

https://www.chainguard.dev/unchained/building-the-first-memo...
dlor
·3 ปีที่แล้ว·discuss
SQL injection and XSS are typically solved at a library/framework level instead of a programming language one, although type systems can help make those frameworks usable and work well.

Either way, they're effectively "solved" from a programmer's perspective if you're willing to adopt modern frameworks instead of string-concatenating HTML or SQL manually.
dlor
·3 ปีที่แล้ว·discuss
It's somewhat disheartening as a software developer focused on security that the top four elements are still:

* Out-of-bounds Write

* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

* Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

* Use After Free
dlor
·3 ปีที่แล้ว·discuss
We're trying to fix this problem at Chainguard. We have our own Linux distro that packages modern versions of software (like minutes or hours after it's released), as well as older versions.

We're also working on FIPS 140-2 and 3, and support pretty much every compliance framework we can find.