Table Stakes: Using public standards for software supply chain security

Eric Gregory - October 7, 2021 - , , , ,

For organizations operating at scale, the application supply chain provides malefactors with a troubling range of opportunities for attack. The recent revelation of the “OMIGOD” exploit is only the latest in a long line of reminders that security must be tailored for a cloud-native world, and we need to account for vulnerabilities at every stage of deployment.

So how can organizations protect themselves while building complex, scalable, and flexible services, especially in high-stakes sectors where security is mission-critical?

Hardening the registry

At CloudNative Days, Mirantis Director of Cloud Architecture Bryan Langston discussed one crucial avenue of attack: the container registries that may form the foundation of your application architecture. These registries allow for streamlined and standardized development, but if you draw on compromised container images, a major vulnerability may be introduced right at the outset. Indeed, this is exactly what security research teams found earlier this year in Docker Hub containers that had been pulled over a hundred thousand times.

How can you avoid falling into the same trap? One solution is to use trusted, security-validated container registries guided by stringent public standards. For example, Mirantis Secure Registry (formerly Docker Trusted Registry) can help organizations ensure that their software architecture meets the requirements of the U.S. Federal Risk and Authorization Management Program (FedRAMP), among other standards. With a secure registry, even organizations not subject to FedRAMP requirements for federal data can achieve a higher degree of security and confidence without sacrificing time or agility.

“This is table stakes,” Bryan said at CloudNative Days. “You’ve got to be doing this at least, and more, if you want to have good control over your secure Kubernetes environment.”

Building a security framework across the software supply chain

Of course, cloud security doesn’t stop at the registry — that’s only a single point of potential attack. Fortunately, organizations can adopt a similar approach to the one we’ve seen for container validation.

Public security guidelines like the U.S. Federal Information Processing Standards (FIPS) 140-2 provide a set of publicly available specifications for application security that can guide enterprises across their pipelines. Some organizations may even find that they should use the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG).

By using software tools tailored to help organizations meet strict requirements while still shipping code swiftly, it is possible to balance careful cybersecurity with the requirements of fast-moving, high-stakes sectors — interests which often seem to conflict, while truly going hand in hand.

On October 14th, 2021, Bryan will provide an in-depth breakdown of these strategies in his webinar, “Real Verifiable Security: FIPS 140-2 and DISA STIG.” If you’d like to learn more, sign up now to learn how your organization can harden your cybersecurity — while playing for table stakes.

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
The Definitive Guide to Container Platforms
Mirantis Webstore
Purchase Kubernetes support