Chainguard Guards Weakest Links In Virtual Machines
Chainguard VMs is a new product line from the company that aims to provide essential system-level tools and services for software application development teams. Named in homage of the virtual machine estates that it covers, Chainguard VMs offers minimal zero-common vulnerabilities and exposures (CVEs) virtual machine images built entirely from source.
A minimal container image has a smaller and more compact runtime footprint in order to increase workload density, they are often found in deployment environments where users will have minimal (the clue is in the name) interaction. Login is typically not required or even possible, as they often lack a shell or package manager.
As a company, Chainguard is known for its software supply chain security products that encompass competencies spanning container image security, vulnerability remediation services, compliance controls and risk mitigation. This new virtual machine product line offers zero-CVE container host images for cloud-native ephemeral workloads.
What is a Guarded Image?
The team behind this launch says that Chainguard VMs represent a “stark contrast” to the legacy general-purpose VMs that dominate the market today. Chainguard VMs are guarded container host images.
When we talk about guarded cloud images, we’re generally referring to images with little to no vulnerabilities, which come with full provenance and open attestations, are lightweight without unnecessary bloating components that may lead to vulnerabilities being exposed and can also be immutable so that they can not be changed after deployment. These container host images offer a cloud-agnostic and threat-resistant environment for deploying and running containers without the “engineering toil” typically associated with container host maintenance.
To successfully run containerized cloud-native applications, enterprises require a container host, i.e., a purpose-specific virtual machine that provides the necessary runtime environment for container execution. Historically, enterprises have relied on general-purpose servers from incumbent Linux distribution providers for their container hosts.
Hosts With the Most (CVEs)
According to Dan Lorenc, CEO and co-founder of Chainguard, legacy servers often contain large volumes of common vulnerabilities and exposures and excess components not required for a container host, leading to engineering work and headaches related to managing CVEs.
He suggests that these incumbent Linux distributions also bundle all the components a general-purpose server might need into infrequent, major software releases. This approach does not align with modern requirements for container hosts, which are ephemeral workloads that involve constant teardowns and updates. Instead of introducing software that is secure-by-design, legacy container hosts rely on slow, reactive patching and costly, resource-intensive migrations to new major software versions.
The Chainguard CEO claims that “no other company” is delivering a minimal, continuously updated and threat-resistant software supply chain with end-to-end integrity in this way.
Zero-CVE Security
Container host images in Chainguard are purpose-built for each major cloud service provider, with varieties for managed container services like EKS or for self-managed container deployments on Amazon EC2, GCE, or Azure. This gives enterprises a consistent, minimal, secure and continuously updated foundation for running containerized applications in any cloud environment.
“Companies are increasingly looking for ways to reduce the operational burden of managing container hosts while improving their security posture,” said KellyAnn Fitzpatrick, senior industry analyst at RedMonk. “By delivering a minimal, purpose-built foundation that aligns with how modern cloud-native workloads run, Chainguard VMs aims to address a critical gap in modern software deployment and offer organizations a way to enhance security, reduce patching toil and streamline compliance in multi-cloud environments.”
Chainguard Libraries
Allied to this news are announcements related to Chainguard Libraries, a technology that provides a secure, trusted source for Java dependencies, built entirely from source in Chainguard’s hardened environment.
“By eliminating the supply chain security risks associated with traditional public registries, we’re helping enterprises lock down a critical attack vector in their environments. At the same time, we’re making developers’ lives easier by removing the friction of manual or policy-based package curation, and giving them one trusted source for dependencies that integrates seamlessly into their existing workflows. With Chainguard Libraries, organizations can build faster and safer, without any compromises,” said CEO Lorenc.
Chainguard loves the term “developer toil” it seems. The company is clearly keen to present itself as a turnkey solution for reducing threat surface areas and patching burdens on engineering teams. Securing the modern software development lifecycle requires locking down every layer of the stack, including the operating system, runtime environment, language libraries and application code — and that’s a lot of why the company is working to give developers a better way to consume open source language dependencies with trusted security.
