Table Stakes: Using public standards for software supply chain security
For organizations operating at scale, the application supply chain provides malefactors with a troubling range of opportunities for attack. The recent revelation of the “OMIGOD” exploit is only the latest in a long line of reminders that security must be tailored for a cloud-native world, and we need to account for vulnerabilities at every stage of deployment.
So how can organizations protect themselves while building complex, scalable, and flexible services, especially in high-stakes sectors where security is mission-critical?
Hardening the registry
At CloudNative Days, Mirantis Director of Cloud Architecture Bryan Langston discussed one crucial avenue of attack: the container registries that may form the foundation of your application architecture. These registries allow for streamlined and standardized development, but if you draw on compromised container images, a major vulnerability may be introduced right at the outset. Indeed, this is exactly what security research teams found earlier this year in Docker Hub containers that had been pulled over a hundred thousand times.
How can you avoid falling into the same trap? One solution is to use trusted, security-validated container registries guided by stringent public standards. For example, Mirantis Secure Registry (formerly Docker Trusted Registry) can help organizations ensure that their software architecture meets the requirements of the U.S. Federal Risk and Authorization Management Program (FedRAMP), among other standards. With a secure registry, even organizations not subject to FedRAMP requirements for federal data can achieve a higher degree of security and confidence without sacrificing time or agility.
“This is table stakes,” Bryan said at CloudNative Days. “You've got to be doing this at least, and more, if you want to have good control over your secure Kubernetes environment.”
Building a security framework across the software supply chain
Of course, cloud security doesn’t stop at the registry -- that’s only a single point of potential attack. Fortunately, organizations can adopt a similar approach to the one we’ve seen for container validation.
Public security guidelines like the U.S. Federal Information Processing Standards (FIPS) 140-2 provide a set of publicly available specifications for application security that can guide enterprises across their pipelines. Some organizations may even find that they should use the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG).
By using software tools tailored to help organizations meet strict requirements while still shipping code swiftly, it is possible to balance careful cybersecurity with the requirements of fast-moving, high-stakes sectors -- interests which often seem to conflict, while truly going hand in hand.
On October 14th, 2021, Bryan will provide an in-depth breakdown of these strategies in his webinar, “Real Verifiable Security: FIPS 140-2 and DISA STIG.” If you’d like to learn more, sign up now to learn how your organization can harden your cybersecurity -- while playing for table stakes.