Cadastre-se agora para um orçamento mais personalizado!

Kubernetes taps Sigstore to thwart open-source software supply chain attacks

04 de maio de 2022 Hi-network.com

Container orchestrator Kubernetes will now include cryptographically signed certificates, using the Sigstore project created last year by the Linux Foundation, Google, Red Hat and Purdue University, in a bid to protect against supply chain attacks.

The Sigstore certificates are being used in the just-released Kubernetes version 1.24 and all future releases. 

According to founding Sigstore developer Dan Lorenc, a former member of Google's open-source security team, the use of Sigstore certificates allows Kubernetes users to verify the authenticity and integrity of the distribution they're using by "giving users the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle and container image."

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

It's one step forward for open-source software development in the battle against software supply chain attacks.

SEE:The Emotet botnet is back, and it has some new tricks to spread malware

The Linux Foundation announced the Sigstore project in March 2021. The new Alpha-Omega open-source supply chain security project, which is backed by Google and Microsoft, also uses Sigstore certificates. Google's open-source security team announced the Sigstore-related project Cosign in May 2021 to simplify signing and verifying container images, as well as the Rekor 'tamper resistant' ledger, which lets software maintainers build systems to record signed metadata to an "immutable record". 

According to Lorenc, the Kubernetes release team's adoption of Sigstore is part of its work on Supply Chain Levels for Software Artifacts, or SLSA -a framework developed by Google for internally protecting its software supply chain that's now a three-level specification being shaped by Google, Intel, the Linux Foundation and others. Kubernetes 1.23 achieved SLSA Level 1 compliance in version 1.23. 

"Sigstore was a key project in achieving SLSA level 2 status and getting a headstart towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August," says Lorenc. 

Lorenc tells ZDNet that Kubernetes' adoption of Sigstore is a major step forward for the project because it has about 5.6 million users. The Sigstore project is also approaching Python developers with a new tool for signing Python packages, as well as major package repositories such as Maven Central and RubyGems. 

Kubernetes serves as critical focal points to help draw attention, take a large amount of work, and has an outsized impact on the entire supply chain, he says. 

These efforts coincide with new projects like the new Package Analysis Project, an initiative by Google and the the Linux Foundation's Open Source Security Foundation (OpenSSF) to identify malicious packages for popular languages such as Python and JavaScript. 

Malicious packages are regularly uploaded to popular repositories despite best efforts, with sometimes devastating consequences for users, according to Google.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Tags quentes : Tecnologia Serviços & Software

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.