Total visibility of your software engineering lifecycle.
It’s finally here, we have just released the source code for our open-source project Chalk™.
You can find the source code on Github here https://github.com/crashappsec/chalk
You can find binary release on our releases page here https://crashoverride.com/releases
You can find documentation on our docs site here https://crashoverride.com/docs. All docs are also available from the command line.
When we started the company last year, we first interviewed over a hundred CSOs and AppSec leaders to understand what their biggest unsolved problems were. It always led back to people not being able to know what to work on now, next or never.
When we unpacked all the conversations, we had learned that there was a visibility gap for everyone. Software engineers don't have visibility into the infrastructure, and infrastructure engineers don't have visibility into the development process. We kept hearing it was slow and frustrating, and often impossible to get the information they need to do their jobs.
We also learned that security engineers don't have visibility into the infrastructure or into the development process. They are flying blind, unable to help the team decide what to work on and effectively manage risk.
Chalk is our free, open-source solution to those problems.
You add a single line to your build script and we will automatically collect and inject metadata into every build artifact. Source code, binaries and containers. You can actually alias docker for zero changes, zero interruption and zero work for your developers.
You use chalk as a compliance easy button, by generating SBOMs, adding code provenance information and digitally signing it, before sending it to a location of your choice as a report. As a big bonus, with no extra effort, you can be SLSA level 2 compliant, before people start officially requiring SLSA level 1 compliance. You can read about this in How-to create software security supply chain compliance reports automatically
You can also use Chalk to create a real-time application inventory, collecting data about the code, repos and branches being deployed and who the code owners are. No more scratching around in the sand when an incident occurs or a noisy scanning tools claims there is a vulnerability in a repo. You can read about this in How-to create a real-time application inventory.
We can even auto-deploy collection tools such as SBOM generators, and built-in Syft as a default so you don’t have to do anything. We have a How-to on the documentation site to generate SBOMs across your code repo using the CycloneDX specification and send them to a central reports destination so you effectively have an SBOM registry. You can read about this in How-to create and maintain an SBOM registry.
Observability is a core tenant of devops. Understanding which services run in a container during the lifetime of its execution, and therefore creating a service map, is a key part of observability for containers. You can do this with shell commands like
netstat, doing this across your container fleet and storing the results in a central location can require a lot of setup. Of course, there is an easy button with Chalk and you can read about this in How-to create network services visibility reports from containers.
There are many more how-to guides either in drafts or in our heads.
Chalk has been in the hands of a few design partners for a few months, and is deployed in production in some very large companies indeed. You guys have been awesome and we owe you both gratitude, and lots of beer. And don’t take my words for how cool it is.
Chalk is an amazing open source security tool that helps to improve software security for everyone. Omkhar Arasaratnam - Executive Director of the OpenSSF and former VP of Infrastructure Security at Google.
A genuine shortcut to being able to know what's actually going on across the software engineering lifecycle. Jason Chan - Former Head of Security at Netflix
I just wish we had this years ago: it is going to provide invaluable insights into what's going on in Cloud distributed systems. Marco Massenzio - Principal Engineer at Cruise Automation, formerly Apple and Google.
Chalk is a ‘must have’ tool for gaining visibility into the security of your software and infrastructure stack. Gerhard Eschelbeck - CISO at Kodiak Robotics and former CISO at Google
Chalk is going to have a huge impact on how security teams are able to prioritize what they work on. Amit Yoran - CEO of Tenable and former National Cyber Security Director at the Department of Homeland Security
Chalk is an easy button to solve the visibility gap, and our cloud platform makes it even easier. It is designed for enterprise deployments, and provides additional functionality including prebuilt configurations to solve common tasks, prebuilt integrations to enrich your data, a built-in query editor, an API and more.
There will be both free and paid plans. We don’t anticipate that being in general availability until early 2024, you can join the waiting list for early access. There are already a number of design partners using it at scale.
Along with the release of Chalk comes a spiffy new website, and you know it’s spiffy if you have seen our previous ones
And we now have total clarity (excuse the pun) about what we are solving.
Crash Override is total visibility of your software engineering lifecycle. Designed for platform and security teams.