banner
News center
Instant delivery

There’s Finally a Way to Improve Cloud Container Registry Security

Jan 09, 2024

Lily Hay Newman

As software supply-chain attacks have emerged as an everyday threat, where bad actors poison a step in the development or distribution process, the tech industry has had a wake-up call about the need to secure each link in the chain. But actually implementing improvements is challenging, particularly for the sprawling open-source cloud development ecosystem. Now, the security firm Chainguard says it has a more secure solution for one ubiquitous but long overlooked component.

"Container registries" are sort of like app stores or clearinghouses where developers upload "images" of cloud containers that each hold a different software program. The cloud services you use every day are constantly and silently navigating container registries to access applications, but these registries are often poorly secured with just a password that can be lost, stolen, or guessed. This often means that people who shouldn't have access to a given container image can download it, or, worse, they can upload images to the registry that could be malicious. Chainguard's new container image registry aims to plug this esoteric but pervasive hole.

"Pretty much every bad possible thing has happened with container registries that you can imagine," says Dan Lorenc, Chainguard's CEO and a longtime software supply-chain security researcher. "People losing passwords, people pushing malware on purpose, people forgetting to update stuff. The industry has just kind of been using this for a long time—everyone was having fun, shipping code—and nobody was thinking about long-term consequences."

The Chainguard researchers say they have long considered developing a more thoughtfully designed registry, particularly one that gets rid of passwords and instead uses a single-sign-on approach to control registry access. That way, a registry can be designed to be as accessible or as locked down as needed, and only people who are logged in to other accounts, like corporate identity services or Google accounts, and then specifically authorized can interact with the registry.

"Container registries have been a weak link," says Jason Hall, a Chainguard software engineer. "They're pretty boring, pretty standard. This is software that's relying on software to deliver software. We need to do better and get rid of passwords to talk to the registry and be able to push to the registry."

The big limitation on deploying a system like this, though, has been cost. Running a container registry typically gets very expensive because of "egress fees." In other words, cloud providers don't charge enterprise customers to upload data into the cloud, but they do charge them every time someone downloads the data. So if container registries are like an app store where everyone is coming to download container images, the egress fees can get really big, really fast. This disincentivized work on overhauling the security of container registries, because no one wanted to take on the cost associated with offering a more secure alternative.

Jeremy White

Kate Knibbs

WIRED Staff

Stephanie McNeal

The breakthrough for Chainguard came when the internet infrastructure company Cloudflare announced the general availability of its R2 Storage service in September. The goal of the product is to offer reduced egress fees to Cloudflare customers and even no fees for data that gets downloaded infrequently. Once R2 emerged as an option, the Chainguard researchers had everything they needed to move ahead with a more secure registry.

Aly Cabral, Cloudflare's vice president of product management for workers, says that as a content delivery network, the company is able to offer a service like R2 because it has already invested so extensively in optimizing its systems to manage and move data around the world efficiently. And she points out that egress fees are problematic in a number of areas, not just cloud software development. For example, AI companies increasingly need ways to move their training data sets to different regions and platforms to find GPU processing power.

When it comes to creating more secure cloud registries, though, Cabral says that Chainguard's initiative is exactly the type of project Cloudflare hoped to support with R2.

"Chainguard's work to rethink key software delivery infrastructure—like container registries—and ensure that it is built with secure-by-design principles that the ecosystem needs, is the type of proactive attention that will assist in preventing malicious attacks," she says. "Too often, security is an afterthought, which can be detrimental as threat actors grow increasingly sophisticated and savvy in their ability to exploit substandard security measures."

Chainguard will use its secure registry to distribute images and will also make the registry design available so others can adopt it. For regular web users, the change will be invisible, but it could prevent fallout from software supply-chain attacks that can—and do—have tangible impacts on people's lives.