Today, every business is a software business. That means that more and more businesses rely on modern applications that are composed of thousands of packages distributed with cloud services. These modern applications are packaged in containers, dynamic and delivered by CI/CD systems with hundreds of parallel builds running within enterprises.
However, attackers have also evolved right along with the agile architecture of these modern applications. And they are prepared to strike at any vulnerable point in the resulting software supply chain. In just the last few years, we have seen a 742% year over year increase in software supply chain attacks with 61% of businesses impacted either directly or indirectly. And this has cost our global economies $46 billion.
One way to prevent software supply chain attacks is by inspecting image integrity before admission into Kubernetes and cloud clusters. This prevents malicious or unauthorized code from running in these environments. So, if a bad actor deploys an image which does not have the right signatures or is not created on the right CI/CD machine, it would be blocked on entry. This is exactly the solution that Nirmata provides to stop unauthorized code.
Nirmata is powered by an open source project called Kyverno, which is a policy engine designed for Kubernetes. Nirmata created this project in November of 2021 and then donated it to CNCF. Kyverno policies can validate, mutate, generate, and cleanup Kubernetes resources, and verify image signatures and artifacts to help secure the software supply chain. Kyverno has over 2.3 billion downloads and is part of the CNCF community. It has been delivered in several enterprise as well as other production use cases and has been proven for a scalability as well as hardening. In fact, about six months ago, the US Department of Defense selected Kyverno as a default policy engine for Kubernetes.

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks
The joint solution from Nirmata and Venafi is designed to prevent software supply chain attacks and protect your Kubernetes environments.
Within the joint solution, Venafi CodeSign Protect provides a strong foundation for the effort for blocking malicious code: signing for the images in these environments, as well as signing of artifacts that you want to attach to images for additional checks. These artifacts could be anything from software build materials, vulnerability scan reports, or other critical metadata such as provenance information such as the build system information. That means you might need to support hundreds of parallel builds running, with each one getting its own identity. To do that, you simply run a client in your CI/CD pipelines which retrieves these machine identities, gets the right certificate, signs your images, signs metadata, and then pushes it back.
Nirmata provides policy enforcement that you can distribute across your clusters before malicious code gets to production. Our solution verifies signed container images during Kubernetes admission controls and in-cluster background scans via policies. The policy is delivered as a Kubernetes resource through native APIs, which the DevOps teams easily manage.
Once the policies are deployed within the cluster, if you try to run an image which is not signed it will immediately be blocked. However, if you run a signed and verified image it will be allowed. Nirmata also collects a lot of data on each one of these events from your clusters. So you have full observability in addition to the automation provided itself.
Venafi and Nirmata are actively collaborating to deliver a complete end-to-end solution to stop unauthorized code and to protect your Kubernetes clusters. Stay tuned for more exciting developments on our joint collaboration
Want to preview our solution for stopping unauthorized code in Kubernetes?
Related posts