Thursday, July 18, 2024

Cloud containers are finally a way to improve registry security


software as a supply chain With attacks having emerged as an everyday threat, where bad actors poison a step in the development or delivery process, the tech industry has received a wake-up call about the need to secure every link in the chain. But actually implementing the improvements has been challenging, especially for the vast open-source cloud development ecosystem. Now, Security Firm Chingard says It’s a much safer solution to a ubiquitous but long-neglected ingredient.

“Container registries” are like app stores or clearinghouses, where developers upload “images” of cloud containers, each containing a different software program. The cloud services you use every day are constantly and silently navigating container registries to access applications, but these registries are often poorly secured with just a password that can be lost, stolen, or stolen. or can be inferred. This often means that people who shouldn’t have access to a given container image can download it, or worse, they can upload images to the registry that may be malicious. Chingard’s new container image registry aims to plug this cryptic but widening hole.

“Virtually every bad thing you can imagine has happened with container registries,” says Dan Lorenc, CEO of Chainguard and a longtime software supply-chain security researcher. “People are losing passwords, people are moving malware on purpose, people are forgetting to update stuff. The industry has been using this for a long time – everyone was having fun, shipping code – and no long term Wasn’t thinking about the consequences.

Chingard researchers say they’ve long considered developing a more thoughtfully designed registry, specifically one that gets rid of passwords and instead uses single-sign on to control registry access. Uses the -on approach. In this way, a registry can be designed to be accessible, or locked down, as needed, and only by people who are logged in to corporate identity services or other accounts such as Google accounts, and then specifically authorized Can interact with the registry.

“Container registries have been a weak link,” says Jason Hall, Chainguard software engineer. “They’re very boring, very standard. It’s software that’s dependent on software to deliver. We need to do better and talk to the registry to get rid of passwords and be able to push the registry.”

However, the major limitation of deploying such a system is the cost. Running a container registry usually gets very expensive because of the “exit fee”. In other words, cloud providers don’t charge enterprise customers to upload data to the cloud, but they charge them whenever someone downloads data. So if container registries are like an app store where everyone is flocking to download container images, withdrawal fees can add up really, really fast. This discouraged work on overhauling the security of container registries, as no one wanted to incur the cost associated with offering a more secure alternative.

The breakthrough for Chingard came when Internet infrastructure company Cloudflare announced General availability of its R2 storage service in September. The product aims to offer Cloudflare customers low exit fees and even no charges for data that gets downloaded occasionally. Once R2 emerged as an alternative, the Chainguard researchers had everything they needed to move forward with a more secure registry.