Connect with us

Hi, what are you looking for?


Supply Chain Security

Software Supply Chain: The Golden Container Ship

By having a golden image you will put a process in place that allows you to quickly take action when a vulnerability is found within your organization.

Software Golden Image

Today we find ourselves using cloud native technologies to increase flexibility, scaling and cost savings in many respects. The modern cloud stack using IaaS, abstracts the hardware maintenance component away and you are left with everything above such as the operating system and software.

Golden images have been a simple concept used in practice for a long time. It reminds me a bit of the AOL marketing campaign that everyone saw and knew. The concept was that each year a new CD appeared in the mail with a version number, and people installed the software from the CD onto their PC. (Amazing to imagine how far we have come) The idea was that we know there is a known good version that has been approved and tested, pre-bundled, so no downloads were needed from external sources, especially over slow dial-up internet connections.

AWS EC2 Image Builder

There is a lot of debate around the best way to create golden images and how to maintain them, as well as the software involved such as AWS image builder, Terraform or Packer. One idea is to keep them as simple as possible such that they have broad compatibility and can be configured by downstream systems. The other side is to configure them as much as possible beforehand to speed up builds and remove downloaded dependencies. Here is a typical workflow you might have in your image building and deployment process.

OpenShift diagram

For simplicity, I’m going to focus on the first build step as defined in the image above. The 1st build is foundational and sets the stage for all of your other applications. Pick a reputable and official image that will be supported for a long time. You want to ensure your runtime is installed correctly and the image is hardened to your needs. In addition, you will download, sign and version your image to reduce reliance on third party hosted servers and minimize source hijacking threads. Also, consider including these three areas to help empower your images from the start and to minimize configuration drift.

Logging agent configuration – Logs are extremely important to monitor processes, crashes and anything else that you want turned on by default.

Telemetry agent – Organizations need visibility into the health of clusters, so it’s imperative that you are collecting reliable telemetry and sending the data somewhere for processing. This is paramount for both security and troubleshooting down the road.

Security agent – Depending on how your environment is set up, you may want to consider a security agent at this level to ensure every endpoint is monitored. Consideration here is key.

Images can run rampant within an organization, often having various flavors based on the needs of each team. When it comes to security, change management is a key part of NIST 800-53 as well as other system frameworks. In order to be successful with your golden builds, you will need to ensure you have coverage of the following:

  • Approved baseline configurations accepted by the organization
  • Default rule to use built-in software as a first option
  • Expectation of regular of security and feature upgrades
  • Process to upgrade pipelines to the latest build
  • Retire old images and promote new images on a standard timeline

Part of securing the supply chain means that companies need to know how to fix issues when they discover them. Having a SBOM or other inventory list is a great place to start, but being able to take action when a vulnerability is found is the second part. By having a golden image, or set of known golden images, you will put a process in place that allows you to quickly fix and deploy within your organization.

Related: The SBOM Bombshell

Advertisement. Scroll to continue reading.

Related: SBOMs – Software Supply Chain Security’s Future or Fantasy?

Written By

Matt is the current Head of Security and Compliance at Forward Networks. He is a security leader and has a background in the areas of threat intelligence, networking, system forensics and discovery, enterprise security auditing, malware analysis and physical security. He is an industry speaker, author, and frequent security podcast guest. Matt also holds a US granted patent, multiple US Government awards and was selected as a one of Silicon Valley Business Journal 40 under 40.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.