There’s Finally a Way to Improve Cloud Container Registry Security
As a software supply chain attack appeared as one daily threat, where bad guys poison a step in the development or distribution process, the tech industry has had a wake-up call about the need to secure each link in the chain. But actually implementing the enhancements is a challenge, especially for the expanding open source cloud development ecosystem. Now, the security company guard said it has a safer solution for a common but long ignored component.
“Container registries” are like app stores or clearinghouses where developers upload “images” of cloud containers that each contain a different software program together. The cloud services you use every day constantly and silently navigate container registries to access applications, but these registries are often poorly secured with just a single password lost, stolen or guessed. This usually means that people who don’t have access to a certain container image can download it, or worse, they can upload a potentially malicious image to the registry. Chainguard’s new Container Image Registry aims to seal this esoteric but common vulnerability.
“Nearly any bad thing can happen to a container registry you can imagine,” said Dan Lorenc, CEO of Chainguard and longtime software supply chain security researcher. . “People who lost their passwords, people who intentionally pushed malware, people who forgot to update content. The industry has been using this for a long time — everyone having fun, shipping the code — and no one thought about the long-term consequences.”
Chainguard researchers say they have long considered developing a more thoughtfully designed registry, specifically one that removes passwords and instead uses a single-sign-on approach times to control registry access. That way, the registry can be designed to be accessible or locked as needed, and only those who have signed in to another account, like a corporate identity service or a Google account, are then authorized. specifically can interact with the registry.
“Container registration is a weak link,” said Jason Hall, a software engineer at Chainguard. “They’re pretty boring, pretty standard. This is software that relies on software to deliver software. We need to do a better job and get rid of the password to talk to the registry and maybe move to the registry.”
However, the major limitation in implementing a system like this is cost. Running a container registry is often very expensive due to the “output overhead”. In other words, cloud providers don’t charge business customers to upload data to the cloud, but they do charge each time someone downloads the data. So if a container registry is like an app store where people go to download container images, the output overhead can be huge and very fast. This frustrates the security overhaul of container registries, because no one wants to take on the costs associated with providing a more secure alternative.
Breakthrough for Chainguard comes when internet infrastructure company Cloudflare announced general availability of R2 Storage in September. The goal of the product is to reduce output fees for Cloudflare customers and even not charge for infrequently downloaded data. After R2 emerged as an option, the Chainguard researchers had everything they needed to proceed with a more secure registry.