Securing the Software Supply Chain for Containers: AWS and SUSE Best Practices

In an era where software development and deployment are increasingly reliant on containerized applications, securing the software supply chain has never been more critical. This blog offers an in-depth exploration of best practices and advanced strategies to safeguard containerized environments. Let’s begin by exploring what the software supply chain for containers is, and where the potential points of attack are.

Understanding the Software Supply Chain for Containers: A Key to Security

The software supply chain is a large, growing, complex and interconnected system of technology, people and process touch points presenting multiple attack points. Bad actors can use these touch points to infiltrate the software supply chain. To better understand what the supply chain consists of, let’s have a look at an illustration (see figure 1). 

Figure 1: Software supply chain illustration: developer committing code to source control and container image flow through CI/CD pipeline.

The developer begins with a pull request or commit to their source control environment, which kicks off the Continuous Integration (CI) process ensuring other code or applications are not broken due to the change. The resulting container image is then stored in a container image repository and handed off to the Continuous Development (CD) pipeline to be deployed to the target environment (development, test and/or production). Other third party tools are used as part of the development process as well; such as an integrated development environment (IDE), AI coding assistants, testing frameworks, etc.

How is the Software Supply Chain for Containers Vulnerable?

Now that we understand the components of the software supply chain, let’s dig deeper and see where the opportunities for vulnerability exploitation exist.

Figure 2: Diagram showing security vulnerabilities in container development: people, processes, and codebases.

People, Processes and Codebases

Looking at figure 2, we can identify many access points that leave us vulnerable for attacks. People and processes can contribute to security risks. The developer has access to proprietary and open source code that may contain vulnerabilities, both known and unknown. These can be pulled into application code either intentionally or unintentionally. Processes can also be exploited. Phishing attempts can inject malicious code or access credentials to further exploit vulnerabilities.

Proprietary and open source code can also be a source of attacks. An example could be bad actors that introduce similarly named packages containing malicious code, hijacking of updates or the code signing process. This malicious code can make its way into code bases and be incorporated into applications across the enterprise. Consider the log4j vulnerability, known as log4jshell from 2021. Even though it is a well-known CVE and has been for several years, it still exists in many projects, code bases and SaaS applications today.

Application and Infrastructure Misconfigurations

Incorrectly configured application deployments and environment misconfiguration of storage or networking which can leave critical resources exposed to cyber attacks. Applications can expose insecure ports or use poor credential hygiene and be vulnerable to things such as brute force ssh attacks, while networking and storage can be deployed with overly permissive network access controls.

Secure the Software Supply Chain with the Right Tools

So far, we have explained the components that make up the software supply chain and identified points that are vulnerable to attack. Those points include people, processes, proprietary and open source code bases, third party tools and misconfiguration of applications and infrastructure. Now let’s see how to secure the software supply chain using solutions from AWS and SUSE.

Security – A Layered Approach

Security is best served in layers:

• Registry/image scans
• CI/CD scanning
• Admission Control Rules
• Network segmentation
• Network threat detection
• Platform and runtime system scanning
• Compliance scanning
• Processes and file security 
• Data leak prevention 
• Web application firewall (WAF).
• Observability and monitoring

By implementing a layered approach, you will greatly reduce an attacker’s chances of penetrating your environment. Even if something doesn’t get caught in one place, it will get blocked in the other.

OK, that seems like a heavy lift. Where do I get started? Let’s walk through Figure 3 below to see how we can protect ourselves from development to production.

Figure 3: Visual guide on securing the software supply chain from development to production.

Use Trusted Library Sources

As a developer, we need to be sure we are using open source libraries from a trusted source. The Rancher Prime Application Collection is a curated, trusted and up-to-date collection of developer and infrastructure applications built, packaged, tested and distributed by SUSE and included with Rancher Prime. By pulling from a validated and supported repository like Application Collection, that is one vulnerability we can avoid.

Observability and Monitoring

Observability and security have begun to merge in our industry today. Observability gives us insights and enables reliability and security via actionable data metrics becoming an important part of a layered security approach. Downtime and performance bottlenecks are not only expensive, but can lead to compliance issues by not honoring Service Level Agreements (or SLAs). Observability allows us to reduce downtime by accelerating MTTR (mean time to resolve). SUSE Observability, included with SUSE Rancher Prime, is a powerful full stack observability solution that helps you to monitor your clusters and applications while enabling alerting integration with Slack, PagerDuty, OpsGenie and more. It also provides detailed dashboards for metrics, traces, logs, events and changes including historical analysis and root cause identification to speed troubleshooting efforts.

Make Use of a Policy Engine

A Kubernetes Policy Engine can assure application, network, storage and other infrastructure configurations are within your pre-defined policy constraints.  Kubewarden, included with SUSE Rancher Prime, is a CNCF project started by SUSE. It is a policy engine for Kubernetes enabling policy-as-code via WebAssembly (Wasm). Kubewarden’s AdmissionPolicies can be used to restrict users from creating ClusterAdmissionPolicies that evaluate resources in a specific namespace. This can be useful if a cluster is shared by multiple users or teams, or if a policy needs to be applied only to resources within a namespace. AdmissionPolicies are combined with Role-Based Access Control (RBAC) to enforce these restrictions.

Admission Control Rules are the last gates before the image gets deployed into the cluster. Kubewarden provides a set of predefined policies and has a very user-friendly UI included with SUSE Rancher Prime that lets you create policies easily. In addition, Kubewarden has a few SDKs (software development kits) that will allow you to write your own custom policies in a variety of languages like  CEL, Rust, Go, Rego, Swift, and typescript. Kubewarden can be integrated into your CI/CD pipelines like AWS CodeBuild and AWS CodeDeploy via webhooks to validate against your policies before introducing applications or images into your environment.

Implement Full Lifecycle Zero Trust Container Security

SUSE Security, based on NeuVector, is a powerful layer of protection against known and unknown vulnerabilities. Considering unpatched CVEs or zero-day vulnerabilities: even though your environment might be exposed to them, no one will be able to take advantage of those vulnerabilities because the processes and network calls wouldn’t be allowed by SUSE Security. SUSE Security is a full life cycle container security platform enabling CVE scanning and ensuring compliance to regulations and meeting or exceeding common compliance standards. This extends your Kubewarden policy engine and can protect you before deployment and at the runtime environment level. By deploying SUSE Security to your runtime environments you will have full network visibility or layer 7.

SUSE Security’s powerful patented deep package inspection for kubernetes allows SUSE Security to learn your applications traffic patterns and automatically create policies. This capability also allows SUSE Security to identify, alert and block unusual ingress and egress traffic. This helps us with container segmentation by ensuring only authorized container to container traffic is allowed. Also, SUSE Security enables behavioral based Zero-trust by identifying the processes running on the pods and nodes and only allows those processes that were previously learned while in “Discovery” mode to run in your production environment. SUSE Security also integrates nicely with service mesh solutions, like Istio.

The SUSE Security and Kubewarden UIs are included with the Rancher Prime Manager UI giving you a single pane of glass. Also, the SUSE Private Image Repository is a secure and SUSE supported enterprise grade implementation of the Harbor open source image repository and also included as part of Rancher Prime.

Summary and Call to Action

Software development and deployment are increasingly reliant on containerized applications and securing the software supply chain has never been more critical. This blog  has explained what the software supply chain is, where it is vulnerable and how we can secure it using AWS and SUSE technologies.

For more details on how best to secure your software supply chain, check out our AWS and SUSE alliance page. 

To accompany this blog, check out our AWS Lightboard Video series here for video one and here for video two. 

If you’re attending re:Invent 2024, come see us at booth #1858 and our speaking session where I’ll dive deeper in this topic.