DevOps and Docker Talk: Cloud Native Interviews and Tooling

Chainguard: Building Secure Container Images

May 3, 2024

Dan Lorenc, from Chainguard, shares insights on creating secure container images, emphasizing the importance of minimalism to enhance security. He discusses the ramifications of the recent XZ supply chain attack and how Chainguard addresses vulnerability management. Dan highlights the benefits of their zero CVE approach, the launch of Chainguard images on Docker Hub, and the need for proactive security practices. He also elaborates on tools for reducing attack surfaces and the significance of frameworks like SLSA in bolstering software security.

59:43

Creator website

Episode guests

Dan Lorenc

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The podcast discusses the recent supply chain attack involving XZ Utilities, emphasizing the vulnerabilities of overburdened maintainers in open-source software.

Chainguard's Images Project is highlighted for offering minimal base images free from Common Vulnerabilities and Exposures, promoting secure container development.

The Salsa project aims to enhance supply chain security through structured guidance, helping organizations implement security best practices incrementally and effectively.

Deep dives

XZ Utilities Supply Chain Attack

The podcast delves into a recent supply chain attack involving XZ Utilities, a critical component in many Linux distributions. An attacker managed to gain maintainer privileges over time, subtly injecting backdoor code into the software, which could have compromised numerous systems. Fortunately, the attack was detected due to a performance anomaly, which triggered a thorough investigation that unveiled the malicious code. This incident raises concerns about the vulnerabilities inherent in open-source software, especially when maintainers are overburdened and may struggle with security practices.

Intro

5min

Navigating Software Supply Chain Security

19min

Understanding Hash Differences in Container Images

2min

Securing Container Vulnerabilities

17min

Minimizing SSH Usage and the Evolution of Secure Container Distros

2min

Understanding SLSA: Strengthening Software Security

11min

Exploring ChainGuard: Entry Points and Educational Resources

3min

Bret and Nirmal are joined by Dan Lorenc from Chainguard to walk them through Chainguard's approach to building secure, minimal container images for popular open source software.

They discuss why it is important to have secure and minimal container images. Dan explains how Chainguard helps remove the pain of CVEs, laggy software updates and patches and much more. Chainguard is now available also on Docker Hub.

They spend the first part of the show talking about the week's big news: the XZ supply chain attack, and Dan was the best man to explain it. They also touch on CVEs, things you can do to reduce the attack surface, SLSA, and more during this jam-packed show.

Be sure to check out the live recording of the complete show from April 4, 2024 on YouTube (Ep. 261).

★Topics★
Chainguard Website
Vulnerability Management Certification course
True Cost of Vulnerability Management
Chainguard Images
Chainguard on Docker Hub Announcement

Creators & Guests

Cristi Cotovan - Editor
Beth Fisher - Producer
Bret Fisher - Host
Nirmal Mehta - Host
Dan Lorenc - Guest

(00:00) - Intro
(05:14) - Dan's Take on the XZ Hack
(14:59) - Chainguard Distro Creation
(21:21) - Chainguard in Docker Hub Announcement
(24:26) - Free Images vs Private Images
(26:27) - Zero CVE Approach
(28:33) - Ways to Reduce Attack Surfaces
(39:56) - Chainguard Academy
(41:08) - Real Time Antivirus Malware Scanner
(43:52) - Google Distro Lists Worth Using
(45:56) - Chainguard for Buildpacks
(46:20) - SLSA
(56:08) - What's Next for Chainguard?
(56:52) - Getting Started with Chainguard

You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!

Grab the best coupons for my Docker and Kubernetes courses.
Join my cloud native DevOps community on Discord.
Grab some merch at Bret's Loot Box
Homepage bretfisher.com

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more