Years after Log4j, what has changed?
You've probably heard about the Log4j attack—a vulnerability in the Apache Log4j 2 utility that allowed remote code execution (RCE), enabling attackers to execute arbitrary code on servers or other computers running an affected version of Log4j without needing any special authorization. This vulnerability took the entire software industry by storm, and it created a wave of messaging that emphasized taking supply chain security seriously. The message was clear, and many companies began to work specifically on steps not only to protect themselves from this vulnerability but also to define more standards to safeguard the software supply chain. A lot of work has been done since then:
SBOMs (Software Bill of Materials) - There's been a push for greater transparency through the use of SBOMs, which help organizations understand exactly what software components are in use and manage vulnerabilities more effectively.
DevSecOps - There is an increase in the adoption of DevSecOps practices, with an emphasis on integrating security earlier in the development process. Organizations are focusing on investing more in this area to safeguard themselves against future attacks, although the base images themselves often contain vulnerabilities.
Base Image Problem - Most Docker images utilize a base image, which is often not patched and can lead to a chaining attack where an attack is inherited in the generated image. Chainguard has addressed this issue by introducing wolfi images, which are zero-CVE images.
OpenSSF - OpenSSF aims to enhance the security of open source software. It unites leaders from various sectors to develop, fund, and implement initiatives that improve open source security practices and tools. The momentum has been accelerating since the 2021 timeframe.
SLSA (Supply-chain Levels for Software Artifacts) - SLSA is a framework designed to ensure the integrity and security of software artifacts throughout the software supply chain. It establishes standards and best practices that help prevent tampering, improve transparency, and ensure traceability of software development and deployment processes.
Are these measures enough? We have seen many advancements in these areas, yet the number of supply chain attacks has even INCREASED! Yes, you heard me right!
What is going wrong here? OpenSSF is performing well, and Chainguard images and minimal images are great ways to start protecting systems, but there is still a broader issue where security has not sufficiently shifted left, and package support is limited. In my opinion, Nix offers a better solution to bring security earlier in the development process with support for over 80,000 packages, although it has its own set of challenges that the Nix community is addressing.
All in all, this space still requires more innovation, reproducible builds, better SBOMs, more effective ways to achieve 0 CVEs, increased package support, and perhaps more adoption of Nix!
What do you think? I would love to hear your thoughts in the comments.
What have I been doing and whats next?
I have an upcoming webinar with Perfectscale where I will be talking WebAssembly on Kubernetes using SpinKube. You can register for thie FREE webinar here.
KCD Pune went really well and I am so happy that I was able to make it in time!
The stream with Darren on GPTscript was dope, we interacted with kubernetes cluster using openAPI
Also created a video on Taskfile - I really like the automation of this but I do love Dagger if any caching is required.
Sponsored Content
Without the sponsors I won’t be able to give you an authentic newsletter with all the cool stuff, so please do check them out
Awesome Reads April
DIY: Create Your Own Cloud with Kubernetes - Very interesting 3 part series on creating your own cloud using the cozystack.
Part 1: Preparing the groundwork for your cloud. Challenges faced during the preparation and operation of Kubernetes on bare metal and a ready-made recipe for provisioning infrastructure.
Part 2: Networking, storage, and virtualization. How to turn Kubernetes into a tool for launching virtual machines and what is needed for this.
Part 3: Cluster API and how to start provisioning Kubernetes clusters at the push of a button. How autoscaling works, dynamic provisioning of volumes, and load balancers.
Do you *really* need to store all that telemetry? - Get insights on which data to be collected as you do not need everything to be stored, systems should only collect specific telemetry data when needed instead of always collecting everything, which could save costs and simplify data management.
Using Metrics-Based Custom Thresholds in Prometheus Alerting Rules - Prometheus allows you to write generic alerting rules that you can parametrize based on a joined-in metric with compatible labels. This post explains how you cab do that.
The end of GitHub PATs: You can’t leak what you don’t have - Matt Moore discusses how they've transitioned from using long-lived GitHub Personal Access Tokens (PATs) to short-lived credentials through their creation of Octo STS, a Security Token Service for GitHub.
How to Port a Sample Application to Chainguard Images - This article works through porting a small but complete application to use Chainguard Images. As we'll see, this is relatively straightforward, but it is important to be aware of some of the differences to other common images.
Resources and Awesome Repos
KindScaler: Node Management for KinD Clusters
Enterprise architectures and patterns : Collection of Enterprise Architectures & Patterns built with Spin and WebAssembly
Awesome video by TechnoTim
For my Hindi Readers - The Kubernetes bootcamp in Hindi is going solid with 5 parts done!
Learn from X platfrom
https://x.com/kelseyhightower/status/1775913633064894669
https://x.com/ClementDelangue/status/1777459866560287047
https://x.com/karpathy/status/1778153659106533806