Containers are how the modern software industry packages an application together with its runtime environment. This makes applications far more portable than previously possible, but it also means that when something needs to be modified, the entire container has to be rebuilt.
Container technologies like Docker and Kubernetes are a double edged sword. While they help speed up and orchestrate application deployment, the proliferation of containers makes tracking and remediating security issues harder since your current security measures probably won’t scale to the volume of containers in use across your organization.
One of the key solutions that can help you scale is Software Composition Analysis (SCA) tools that can examine and report on the contents of a container, highlighting the open source components and which ones may be outdated and/or vulnerable. But knowing what’s vulnerable is only half the problem. Being able to remediate vulnerabilities in a timely manner is the real problem.
A 2023 study of 1.4M organizations globally indicated:
- Critical severity Known Exploited Vulnerabilities (KEVs) took nearly 4.5 months (137 median days) to remediate
- High severity vulnerabilities require >9 months (238 median days) to remediate
- Medium severity vulnerabilities take ~1.5 years (517 median days) to remediate
Security/IT teams alone can take more than 38 days just to create and make available a patch. Compare this to the fact that bad actors are continually improving their response time between the discovery of a vulnerability and their ability to exploit it (i.e., time to exploit), which now averages just 15 days.
Adopting a containerized application strategy can speed up production updates, since it’s often faster to spin up a new set of non-vulnerable containers than replace compromised server-based applications. But the critical path that needs to be overcome is still the time to create a patched/updated container: 38 days is far too long. While such a delay is understandable given the need to wait for the vulnerability to be addressed by the open source author, as well as the need to create a hardened container image by overworked Security/IT personnel, it’s still unacceptable to most security-conscious organizations.
One strategy that can decrease Mean Time To Remediation (MTTR) is outsourcing the responsibility of securing your containers to a third party.
Outsourcing The Container Supply Chain
LIke the software supply chain, containers also have a supply chain that includes a number of third party components:
- An operating system, typically a version of Linux.
- A runtime environment, typically including both an interpreter and multiple open source packages.
On top of which is layered the actual application. Pulling a container from a public repository like Docker Hub or even a commercial vendor like RedHat is a crapshoot. Unless it was built extremely recently, it’s likely riddled with vulnerabilities and outdated components. But the alternative is building a container from scratch yourself.
While there are no barriers to building your own containers, it’s one thing to pull all the pieces together into a one-off hardened container with a minimized attack surface, but it’s quite another to continually modify and update the container on an ongoing basis in order to remediate vulnerable components, which crop up on a frequent basis.
This is why companies like Chainguard and ActiveState exist – to manage, maintain and secure container components on your behalf, and create new images as needed, ready for you to incorporate into your CI/CD process.
Chainguard Bespoke Containers
Chainguard has a simple value proposition: if you need a specific open source application, framework or library, they’ll package it in a hardened container and update it daily to ensure all components within the container are up-to-date and non-vulnerable. They’ll also sign the container to prevent tampering, and provide you with a Provenance Attestation and Software Bill Of Materials (SBOM) so you know exactly what components are inside the container and where they came from.
DevOps can then simply point at Chainguard to pull in an always-up-to-date version of the containerized open source software they require, and test/verify it via their CI/CD process. Or they can get notified when critical vulnerabilities occur so they can pick and choose when to take an update.
Because Chainguard builds Docker container contents from source code, they can resolve vulnerabilities at an atomic (i.e., per dependency) level, while ensuring that only the minimal set of dependencies are included. The result is a hardened container that minimizes the number of vulnerabilities present, similar to ActiveState.
ActiveState Hardened Containers
ActiveState and Chainguard solve much the same problem (securing the software supply chain), but take different approaches. Where Chainguard focuses mainly on frameworks and open source applications packaged as containers, ActiveState focuses mainly on open source languages packaged as runtimes that can be deployed in multiple form factors, including containers.
ActiveState also has a large user base that prefers to self-serve, either by starting with their GitHub repo, or selecting from our comprehensive open source catalog. ActiveState continually imports open source packages from various ecosystems into our platform, vets them, and makes available multiple versions of languages and packages for users to select from in order to build their runtime environment.
We also include EOL versions of languages and packages in our catalog, allowing users to sacrifice security for backwards compatibility. To help close the security gap, ActiveState will backport patches to address critical vulnerabilities.
And because ActiveState builds everything via a SLSA Level 4 hardened build service, we are able to supply a Verification Summary Attestation (VSA) to prove that the output artifacts and entire runtime environment were built in a secure manner.
ActiveState vs Chainguard
ActiveState | Chainguard | |
Languages Supported | Any; currently Python, C, Rust, Perl, Ruby, Tcl, Go | Any; currently .Net, Go, C, Java, JavaScript, PHP, Python, R, Ruby, Rust |
Applications/ Frameworks Supported | Any; currently a limited selection | Any; currently >600 |
Self-serve | Yes | No |
Reproducible Builds | Yes | Yes |
Minimal Builds (no extra dependencies included) | Yes | Yes |
Vulnerability Notifications | Yes | Yes |
Backporting of patches | Yes | No |
Packaging Formats | Docker, EXE, tarball, PKG | Docker |
SBOMs | SPDX | SPDX |
Provenance Attestation | Yes | Yes |
Verification Summary Attestation | Yes | No |
Free/Community offering | Yes | Yes |
Enterprise SLA | Yes | Yes |
Conclusions: Build-in Software Supply Chain Security Through Outsourcing
Because the main focus of their business is software supply chain security, ActiveState and Chainguard can gain economies of scale when it comes to managing software supply chains that individual organizations simply can’t. Most organizations see managing, maintaining and securing third party components as a drag on the productivity of their most expensive resources: coders. After all, no coder wants to manage somebody else’s code when they could be writing their own.
By outsourcing their software supply chain organizations can gain a number of advantages, including:
- Increase developer productivity and efficiency by regaining the ~30% of the time they currently spend on maintaining your software supply chain.
- Reduce risk by eliminating the barriers to keeping your dependencies up to date, thereby reducing security threats from vulnerabilities.
- Lower costs with a single hand to shake rather than individually managing the hundreds of third-party open source components in your software supply chain.
Whether you want a full service solution where everything is taken care of for you and all you need to do is plug the resulting container into your existing software development process, or whether you prefer to self-serve from a catalog of vetted components maintained by a trusted vendor, outsourcing your software supply chain is the best way to free up your internal resources to focus on your product rather than the commoditized components that go into it.
Next Steps
Read more about the Benefits of Outsourcing Your Software Supply Chain.