Posts under Container Security
Containers, along with orchestrators such as Kubernetes, have ushered in a new era of application development methodology, enabling microservices architectures as well as continuous development and delivery. Docker is by far the most dominant container runtime engine, with a 91% penetration according to our latest State of the Container and Kubernetes Security Report. Containerization has many benefits and as a result has seen wide adoption. According to Gartner, by 2020, more than 50% of global organizations will be running containerized applications in production.
Following security best practices for AWS EKS clusters is just as critical as for any Kubernetes cluster. In a talk I gave at the Bay Area AWS Community Day, I shared lessons learned and best practices for engineers running workloads on EKS clusters. This overview recaps my talk and includes links to instructions and further reading. About EKS Amazon Elastic Kubernetes Service (EKS) is AWS’ managed Kubernetes service. AWS hosts and manages the Kubernetes masters, and the user is responsible for creating the worker nodes, which run on EC2 instances.
Operationalizing container security by integrating with existing DevOps tooling and workflows has long been a design principle in how we’ve built our StackRox Kubernetes Security Platform. Today we’re excited to announce yet another powerful integration to make our customers’ operational lives better – the StackRox App for Sumo Logic. With this integration, joint customers now get rich StackRox insights about Kubernetes and container security incidents directly in the Sumo Logic Continuous Intelligence Platform.
It’s a bit like Groundhog Day, where we just keep winning award after award. This time, StackRox takes the prize for Best DevOps/Container Security Solution in the inaugural Tech Ascension Awards. The judges celebrated the StackRox Kubernetes Security Platform as “the first deeply integrated, full life cycle solution for cloud-native applications that is both container-native and Kubernetes-native.” The team went on to cite that StackRox address all the critical security and compliance use cases for containers in a single platform, so customers can avoid buying multiple separate tools.
StackRox has done it again. We’ve been recognized once more for our leadership role in the industry – this time as a finalist in the Black Unicorn Awards for 2019 at Black Hat, on now in Las Vegas. This award recognizes those cyber security innovators that judges deem have the potential to reach a $1 billion market potential. Cyber Defense Magazine chose just 30 finalists amongst all entries. Cyber security industry veterans Gary Miliefsky of Cyber Defense Magazine, Robert Herjavec of Herjavec Group, and David DeWalt of NightDragon served as the judges for this year’s Black Unicorn awards.
The awards just keep rolling in … We are thrilled to announce that StackRox has been chosen as a Gold Winner at the 14th Annual Network Products Guide’s 2019 IT World Awards in the Security Services category. StackRox was recognized for our container-native and Kubernetes-native security solution to help our customers protect containers and Kubernetes environments throughout the container life cycle. Containers and Kubernetes have drastically accelerated and streamlined cloud-native application development and deployment, with organizations across industries containerizingtheir most critical production workloads at an ever increasing pace.
We recently repeated our survey of IT and security practitioners to understand the state of security in your container and Kubernetes environments. In our inaugural survey last year, the key findings included: Lack of adequate security strategy topped the list of container strategy concerns Runtime was the lifecycle phase that was of most concern from a security perspective Kubernetes was used by just over half (57%) of respondents for container orchestration This time around we expanded the audience from 230 to more than 390 IT and security practitioners.
Right on the heels of winning two CODiE awards, StackRox was just named a Computer Reseller News 2019 Emerging Vendor. StackRox and our Kubernetes-native container security platform were chosen for our ability to help organizations harden and secure Kubernetes environments at scale. DevOps practices and the cloud-native stack provide the channel with rich opportunities to help companies enable business transformation. The underlying technologies of containers and Kubernetes, however, wreak havoc with traditional security tooling and processes.
Kubernetes is by far the most widely used container orchestrator in the market, and Kubernetes adoption – especially in production environments – is taking off. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.” The explosion in Kubernetes adoption hasn’t been without its share of security concerns. Earlier this year, the runC vulnerability, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered.
This is the first of a three-part blog series reviewing Gartner Security & Risk Management Summit 2019. Don’t forget to read article two titled Gartner on Securing Cloud-Native Apps, and article three titled Gartner: How-To Guide on Securing Containers. After considering nearly two dozen security projects, Gartner analysts included container security on their list of top projects to undertake in 2019 at the Security and Risk Management conference last week.
Today news broke that Palo Alto Networks (NYSE: PANW) is buying container security startup Twistlock for approximately $410 million. The acquisition provides great validation of the container security market and broader cloud-native security market. Twistlock is Palo Alto’s third security acquisition since Nikesh Arora took over as CEO and reflects the growing importance of the broader cloud security market. Enterprises today are looking for ways to enforce security and compliance policies as they embrace the business benefits of cloud-native application architectures across multi-cloud and hybrid cloud environments.
What happened? In an email to customers, Kent Lamb, Director of Docker Support, wrote “During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.” As a result of this breach, it’s possible that images in your Docker Hub repository may have been tampered with or overwritten.
We’re excited to announce today that we’ve added support for the latest version of the Google Cloud Security Command Center (Cloud SCC). StackRox has collaborated with the Cloud SCC team as part of our Google Cloud partnership since Cloud SCC’s alpha release, and we’re excited that the platform is now generally available. The StackRox Kubernetes Security Platform enables customers to meet their security and compliance requirements across the container lifecycle, and we’ve integrated deeply with Kubernetes to deliver the key capabilities essential to an effective container security solution.
The container orchestrator war is over, and Kubernetes has won. With companies large and small rapidly adopting the platform, security has emerged as an important concern – partly because of the learning curve inherent in understanding any new infrastructure, and partly because of recently announced vulnerabilities. Kubernetes brings another security dynamic to the table – its defaults are geared towards making it easy for users to get up and running quickly, as well as being backward compatible with earlier releases of Kubernetes that lacked important security features.
Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are. CVE-2019-1002101: kubectl cp could replace or delete files on a user machine This vulnerability is in the kubectl binary – specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.