Chainguard

We're looking for a product manager to own our Chainguard Courses and support out Chainguard Academy (both of which I have contributed to). If that piques your interested, read on here: https://lnkd.in/getQ8QTi

It's 10pm, do you know what compiler flags your binaries have been built with? Compilers have advanced dramatically in the last several decades, and many common classes of memory-safety vulnerabilities have been entirely mitigated with modern compilers. Unfortunately, these protections aren't always enabled by default. This can be because compiler authors are worried about breaking backwards compatibility, or because they protection might cause an unintended side effect - typically around performance. Thankfully, our friends at the OpenSSF have put together a detailed guide on what all of these compiler flags mean, along with recommendations for which to set to maximize security of the compiled artifacts. Our team at Chainguard did a detailed audit of all the binaries we distribute, and made sure that we're setting all of these flags *at a minimum* across the board. You can now rest assured that everything you get from Chainguard is taking advantage of the most up to date hardening techniques available in modern compilers. And - our approach to compiler toolchains means you'll get these protections as soon as new compilers come out. No need to wait years for LTS-style distros to update to modern gcc or clang stacks! https://lnkd.in/e9cPAbbp #opensource #compilers #llvm #cybersecurity

Hey you!! Do you want to learn what it takes to build and test and scan 1100+ of the finest container images?it's possible to build, dozens of times every day, reproducibly, with SBOMs, signatures, provenance, and more? Do you want to find out with me what it'll take to 10x that number and build them even more often, and faster? We've got some spots open on my team next year. If you're curious, reply or DM me and let's talk.

"Chainguard helps our engineers focus on developing features. Previously, most time was spent trying to mitigate CVEs & our customers were getting new features deployed. Using Chainguard has significantly shifted that paradigm. Developing in the DoD landscape is harder than the private sector & this helps a lot." ~ Enterprise customer in Defense & Space industry ?? ?? So grateful for our customers! See what else they have to say on G2: https://lnkd.in/eeVsdCSM

Another instance of OSS identify theft, or another example of the one actual good reason to sign git commits. Attackers recently attempted to sneak malware into a project by creating a fake GitHub profile, attempting to make their commits appear to have come from a well known researcher. Instances like this always remind me of two things: 1. I'm incredibly skeptical of any of the tooling that attempts to detect malicious activity based on GitHub activity metadata. It's all trivially forgeable and the data is impossible to trust. 2. The highest impact threat vector that cryptographically signing your commits actually protects against is identify theft - someone trying to pass their (likely malicious) work off as yours. I wish commit signing were easier to use, but until GitHub integrates sigstore for commit verification we're left with the PGP or the less-bad but still kludgy ssh-key based signing. We use gitsign internally for everything at Chainguard through our own set of GitHub actions and apps, but it would still be a lot nicer to get the fancy green checkmark. https://lnkd.in/e9s_qhdJ #gitsign #sigstore #cybersecurity #opensource

Kicked off the Salesforce Ventures Founders Summit with a high energy go-to-market conversation alongside Arielle Fidel (Together AI) and Ryan Carlson (Chainguard) where we discussed the founder toolkit for building a powerful B2B GTM engine and scaling for growth. *A few takeaways* ?? First time founders focus on product, second time founders focus on distribution ... find your first 2-3 champion enterprise customers ?? Nothing happens until someone sells something … At an early stage company, there are only two roles: building and selling ?? Get programatic about your data … being focused on data earlier on (collecting data, data integrity, data governance) will set you up for growth and scale in the age of AI Take advantage of programs like *Salesforce Launchpad* offering startups an opportunity to establish a solid foundation by providing Slack & CRM access and expert coaching to build a scalable GTM framework without significant upfront investment. Mara Larson-Richard, Daniel Otero Bernabeu Learn more here: https://lnkd.in/ebqquQv5 Thanks to Paul Drews, Nowi Kallen, Enki T., Laura Rowson for inviting me ??

Fresh off the blogosphere: Chainguard Images are now being built using enhanced, OpenSSF-recommended compiler flags for C/C++ projects Check it out! https://lnkd.in/e4FTir5h

? We are proud to announce that we're a funding Launch Partner of GitHub's Secure Open Source Fund ? We look forward to working with other industry leaders to improve open source security and are committed to creating a safer open source ecosystem for everyone! ?? https://lnkd.in/eqsARhhu

I have an example I like to use to point out problems with SCA-generated SBOMs called the "Wordpress Test". Wordpress is one of the most widely deployed applications on the internet, and as a large codebase it often has vulnerabilities. One recent example is CVE-2024-10924 in which a set of popular authentication plugins can be bypassed for remote access. Anyway, here's the test. I've been talking about this example for a few years now and to my knowledge no SCA container scanner passes it yet. Step 1: Run the scanner on the DockerHub "wordpress" image. Step 2: See if the scanner found the actual "wordpress" application in the image. Scanners find tons of vulnerabilities - both true and false positives in this image. Grype for example finds 354 unique CVEs in this image. Trivy finds 855. Docker scout finds 95. But if you dig into the packages detected by these scanners, none actually realized wordpress itself was installed, which means they're blind to CVEs in the main application! This is because the official wordpress image is built by following the official wordpress installation instructions, which involve downloading a tarball, unpacking the contents onto disk, and then running some installation scripts. These installation methods don't leave behind enough breadcrumbs for scanners to know that anything was installed, so this turns into "Dark Matter". Any post-hoc container minimization or hardening steps that start from this same image will have the same problems - false negatives. Compare that to our build-time generated SBOMs on the Chainguard wordpress image and you'll see wordpress front and center in the scan results. A quick "syft https://lnkd.in/ej9PytDf" will show the difference. This is because we build individual OS packages for everything that gets installed, and those packages correctly contain all the required metadata for scanners to interpret. If you're relying solely on SCA-based scanners to generate your SBOMs, you're going to be stuck dealing with false-positives *and* false negatives, unless your vendor goes to great lengths (like we do) at build time to ensure they can properly interpret an image. Has anyone out there solved the "Wordpress Test" yet? I check every six months or so and to date none of the scanners I've tried pass. #wordpress #cve #sbom #vulnerabilitymanagement #cybersecurity

Chainguard Learning Labs are a great way to get to grips with how to adopt Chainguard Images