Chainguard Allies With Docker, Inc. to Secure Container Images

Chainguard today revealed that the hardened container images it provides to better ensure software supply chain security are now available on Docker Hub via the Docker Verified Publisher (DVP) program.

Kaylin Trychon, vice president of marketing for Chainguard, said this alliance will make the hardened container images more accessible to millions of developers that rely on DockerHub to download images that are incorporated into cloud-native applications.

The number of free hardened container images provided by Chainguard has been steadily increasing over the past year. Any time a new vulnerability is discovered that affects those images, Chainguard is committed to providing a patch to update them, Trychon said.

For several years, Docker, Inc. has been encouraging developers to use container images provided via its DVP program to improve application security. While containers are frequently replaced, outdated images will likely encapsulate known vulnerabilities that cybercriminals can quickly exploit. The DVP program is designed to ensure that developers, as much as possible, are only using the latest, most secure version of a container image available.

It’s not clear why many developers continue to download insecure versions of container images from various repositories, but in the wake of the Biden executive order requiring federal agencies to secure their software supply chains, more progress is starting to be made, said Trychon. As development teams embrace best practices for building secure cloud-native applications, the number of developers downloading hardened container images has steadily increased, she noted.

Of course, there are probably many container images running in production environments that should be replaced. The challenge is that not every application development team knows with absolute certainty what container images are running in those environments. Over time, however, the overall state of cloud-native application security should steadily improve as most of those container images are ripped and replaced.

In the meantime, the need to employ DevSecOps best practices to ensure secure applications are being built and deployed is becoming more pronounced. More cybercriminals than ever are adopting tactics and techniques specifically aimed at compromising software supply chains in the hopes of embedding malware that will find its way into any number of downstream applications. Once activated, that malware typically provides access to an application that can then be used to distribute additional malware as cybercriminals steadily escalate the privileges they gain.

As a result, application development teams are held more accountable for the security of the software they build as compliance mandates and regulations become increasingly more stringent. In fact, it’s now only a matter of time before most application development teams, in addition to providing a software bill of materials (SBOM) listing the components of an application, will need to document the practices used to build it. As such, many enterprise IT organizations are now proactively adopting the same policies as federal agencies to lock down their software supply chains.

Of course, when it comes to securing software supply chains, there is no substitute for training. However, until developers further embrace DevSecOps best practices of their own accord, the number of safeguards organizations will put in place to force the issue is only going to increase.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1616 posts and counting. See all posts by Mike Vizard