As software supply chain attacks emerged inasmuch as daily threat, where bad actors poison a step in the development or distribution process, the tech industry has been alerted to the need to secure every link in the chain. But actually implementing improvements is difficult, especially for the sprawling open source cloud development ecosystem. Now the security company Chainguard says it has a more secure solution for a ubiquitous but long overlooked component.
“Container registries” are a kind of app store or clearinghouse where developers upload “images” of cloud containers each containing different software. The cloud services you use every day constantly and silently navigate container registries to access applications, but these registries are often poorly secured with just a password that can be lost, stolen, or guessed. This often means that people who shouldn’t have access to a given container image can download it, or worse, download images to the registry that could be malicious. Chainguard’s new Container Image Registry aims to fill this esoteric but pervasive hole.
“Almost every possible bad thing has happened with container registries that you can imagine,” says Dan Lorenc, CEO of Chainguard and longtime software supply chain security researcher. “People lose their passwords, people purposely push malware, people forget to update things. The industry has been using this for a long time – everyone was having fun, shipping code, and nobody thought with long-term consequences.
Chainguard researchers say they have long considered developing a more thoughtful registry, specifically a registry that removes passwords and instead uses a single sign-on approach to control registry access. This way, a registry can be designed to be as accessible or as locked down as needed, and only people logged into other accounts, like corporate identity services or Google accounts, and then specifically authorized can interact with it. the register.
“Container registries have been a weak link,” says Chainguard software engineer Jason Hall. “They’re pretty boring, pretty standard. It is software that relies on software to deliver software. We need to do better and get rid of passwords to talk to the registry and be able to access the registry.
The big limitation in deploying a system like this, however, has been the cost. Running a container registry is usually very expensive due to “egress fees”. In other words, cloud providers don’t charge enterprise customers for uploading data to the cloud, but they charge them each time someone uploads the data. So if container registries are like an app store where everyone comes to download container images, egress fees can get very high very quickly. This discouraged work to overhaul container registry security, as no one wanted to bear the costs associated with providing a more secure alternative.
Chainguard’s breakthrough came when internet infrastructure company Cloudflare announcement the general availability of its R2 Storage service in September. The goal of the product is to offer reduced egress charges to Cloudflare customers and even no charges for infrequently downloaded data. Once R2 emerged as an option, Chainguard researchers had everything they needed to move forward with a more secure ledger.