Supply Chain Security Software Supply Chain: The Golden Container Ship
Introduction
In today’s era, cloud-native technologies are being utilized to increase flexibility, scaling, and cost savings in many ways and using a modern cloud stack using IaaS abstracts the hardware maintenance component. This enables us to use everything above it like an operating system and software for more significant applications. This idea has introduced the “golden images” concept that has been in practice for a long time. These golden images help to identify the known good version that has already been approved and tested. The image is pre-bundled, and no downloads are needed from external sources.
Debate on Creating and Maintaining Golden Images
There is a lot of debate around the best way to create golden images and maintain them, as well as the software involved, such as AWS image builder, Terraform, or Packer. One idea is to keep them as simple as possible to have broad compatibility, which can be configured by downstream systems. The other side is to configure them as much as possible beforehand to speed up builds and remove downloaded dependencies.
Typical Workflow for Creating and Deploying Golden Images
For simplicity, let us focus on the first build step as defined in the image above. The first build is foundational and sets the stage for all of our other applications, and we need to pick reputable and official images that will be supported for the long term. It is essential to ensure that the images’ runtime is installed correctly, and the image is hardened to your needs. Also, we will download, sign and version our images to decrease reliance on the third party hosted servers and minimize source hijacking threats.
Including Telemetry, Logging, and Security Agent Configuration
We should consider including the following aspects to empower the images from the start and minimize configuration drift:
- Logging agent configuration: Logs are extremely important to monitor processes, crashes, and anything else that turns on by default.
- Telemetry agent: Organizations need visibility into the cluster’s health, so it’s imperative to collect reliable telemetry and send the data somewhere for processing.
- Security agent: Depending on how your environment is set up, you may want to consider a security agent at this level to ensure every endpoint is monitored.
Implementing Golden Builds
Images can run rampant within an organization, often having various flavors based on the needs of each team. When it comes to security, change management is a key part of NIST 800-53, as well as other system frameworks. In order to be successful with your golden builds, you will need to ensure you have coverage of the following:
- Approved baseline configurations accepted by the organization.
- Default rule to use built-in software as the first option.
- Expectation of regular investments in security and feature upgrades.
- Process to upgrade pipelines to the latest build
- Retire old images and promote new images on a standard timeline
Part of securing the supply chain is knowing how to fix issues when discovered. Having a SBOM or other inventory list is a great place to start, but being able to take action when a vulnerability is found is the second part. By having a golden image, or set of known golden images, the organization can quickly and efficiently fix and deploy the issue.
Conclusion
In conclusion, companies need to know how to secure their software supply chain. Golden images are a commonly used solution for identifying known good versions that have been approved and tested. Companies can implement this by ensuring a reputable and official image is used and the image is hardened to their needs. It is advised to include telemetry, logging, and security agent configurations in the image building process to empower the images from the start and minimize configuration drift. By retiring old images, updating to newer versions, and implementing approved baseline configurations, companies can ensure that their software supply chain remains secure.
<< photo by Christopher Gower >>
You might want to read !
- OpenSSF’s Open Source Software Security Initiative Secures $5 Million Funding.
- The Future of Software Supply Chain Security: SBOMs as a Dream or Reality?
- “Ensuring Security in the Software Supply Chain: Red Hat’s Latest Initiative”
- Uncovering the Tactics and Impact of Malicious Package Attacks on Software Supply Chains
- The New Imperative: Why Attack Surface Management Is More Critical Than Ever
- “The Risks and Challenges of Hacking the Moonlighter Satellite”
- Why Maintaining a Strong Data Security Posture is Essential for Businesses
- The Importance of Robust API Security for Your Business
- Why are bug bounties becoming more popular in the tech industry?
- Key Criteria for Choosing an Effective Patch Management Solution
