Authored by Alfredo García, R&D Manager at VMware
Bitnami’s Sealed Secrets has been a popular GitOps Secret Management solution ever since its launch back in 2017. With 5.4K starts and more than a million downloads per month, this project has a lot of traction and is widely adopted amongst the open-source community.
The Bitnami by VMware team encourages and fosters collaboration with university institutions. Examples of such collaborations can be found in the more than 20 training sessions delivered by our experts during this year's VMware Multi-cloud Academy.
While we regularly collaborate with institutions, opportunities to collaborate directly with computer science students are few and far between. For this reason, when Aix-Marseille University approached us with an offer to collaborate with some of their Reliability and IT Security Master’s Degree students, we quickly jumped on the idea. This proposal was translated into a two-month collaboration period in which several important features have been implemented in the Sealed Secrets project.
Collaboration Scope
The collaboration started early in 2022 with some meetings with the faculty responsible for the Master’s Degree in Reliability and IT Security of the Aix-Marseille University, in order to define the scope and the approach of our cooperation. We agreed that five students will incorporate their work on the Sealed Secrets project as a part of their final dissertation for the Master’s degree they were undertaking.
Those students had neither a previous background in collaborating with open source projects nor any proven experience in developing with Golang. To help them to be more efficient, the Bitnami by VMware Sealed Secrets team provided a minimum onboarding plan. This plan included the set-up of a GitHub account, a brief introduction to the project contributing guidelines, and a list of recommended readings that could help them better understand Sealed Secrets design and purpose.
The collaboration lasted from March to April 2022, and during that time, the students took ownership of several tasks in our project backlog focusing mainly on solving security and software supply chain issues. All these tasks were closely related to the content of their Master’s degree curriculum, so they dealt with them efficiently.
These activities were grouped into three major blocks:
- Secure software supply chain
- Static code analysis and vulnerability scanning
- Sealed Secrets cryptographic review
Secure Software Supply Chain
Needless to say, the software supply chain is a big concern for any organization. Given the importance of the Sealed Secrets project within the Kubernetes Security area, it is essential to control our dependencies and to provide a solid provenance for our deliverables.
Because of that, we asked the students to incorporate cosign verifications over the Sealed Secrets distroless and base images. They also included a cosign signature for the Controller images, Kubeseal CLI, and for the project’s official Helm chart. These improvements will make it easier for our users to verify the provenance of Sealed Secrets once included in their clusters.
Static Code Analysis and Vulnerability Scanning
Static code analysis is a great way to detect inefficiencies or security concerns on a codebase. Additionally, vulnerability scanning is a critical step in any continuous integration (CI) pipeline. In our case, we decided to include two complementary tools within the project CI process: gosec and trivy. For this last integration, in particular, Sealed Secrets leverages VMware Image Builder verification capabilities so that vulnerabilities are detected as part of the project release process.
This task was related not only to integrating the tools but to analyzing the different reports and deciding which among various incidents were false positives and which could be added to the project as recommended code practices. The students included ten different Pull Requests (PRs) and some important improvements in Sealed Secrets security stance.
Sealed Secrets Cryptographic Review
The Sealed Secrets project had a few documents about cryptography, with little internal cohesion between them. It was difficult for new developers to understand the security stance of the project with these guides, so we decided to review and consolidate our Cryptography-related documentation.
A hot topic in cybersecurity is how to protect encrypted information against brute-force attacks executed with the help of quantum computers. These kinds of attacks are not yet possible with the current quantum processing power, but many security providers are designing algorithms that will be quantum resistant. To anticipate future developments, the students included in the Cryptographic documentation some recommendations and good practices regarding Post-quantum cryptography.
Conclusion
The collaboration between the Aix-Marseille Cybersecurity Master students and the Sealed Secrets team has resulted in the merging of 18 Pull Requests into the project. These PRs include several important features that have improved the security posture of Sealed Secrets. Furthermore, the students have demonstrated great skills and determination by identifying key improvements and implementing them in the project. We recommend checking out their GitHub profiles and following them to discover this and other contributions to the open-source community.
- Adrien MOLLET - @volker-carstein
- Luc BOBO - @luhko
- M'hamed BELHACHEMI M'HAMED - @Belhach
- Nicolas THOMAS - @JeNeComprendPas
- Nicolas BOURRAS - @vivescere
We’d like to acknowledge their efforts and contributions and wish them the best in their next ventures!