New Report - State of Container and Kubernetes Security Winter 2020 Download Now
{ .link_text }}

Posts under Container Security

StackRox and Google Cloud Deliver Container Security as Cloud SCC goes GA

StackRox and Google Cloud Deliver Container Security as Cloud SCC goes GA

We’re excited to announce today that we’ve added support for the latest version of the Google Cloud Security Command Center (Cloud SCC). StackRox has collaborated with the Cloud SCC team as part of our Google Cloud partnership since Cloud SCC’s alpha release, and we’re excited that the platform is now generally available. The StackRox Kubernetes Security Platform enables customers to meet their security and compliance requirements across the container lifecycle, and we’ve integrated deeply with Kubernetes to deliver the key capabilities essential to an effective container security solution.

Kubernetes Network Policies - A Detailed Security Guide

Kubernetes Network Policies - A Detailed Security Guide

The container orchestrator war is over, and Kubernetes has won. With companies large and small rapidly adopting the platform, security has emerged as an important concern – partly because of the learning curve inherent in understanding any new infrastructure, and partly because of recently announced vulnerabilities. Kubernetes brings another security dynamic to the table – its defaults are geared towards making it easy for users to get up and running quickly, as well as being backward compatible with earlier releases of Kubernetes that lacked important security features.

New Kubernetes Security Vulnerabilities Disclosed: CVE-2019-1002101 and CVE-2019-9946

New Kubernetes Security Vulnerabilities Disclosed: CVE-2019-1002101 and CVE-2019-9946

Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are. CVE-2019-1002101: kubectl cp could replace or delete files on a user machine This vulnerability is in the kubectl binary – specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.

11 Kubernetes admission controller best practices for security

11 Kubernetes admission controller best practices for security

Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.

The runC Vulnerability - A Deep Dive on Protecting Yourself

The runC Vulnerability - A Deep Dive on Protecting Yourself

A vulnerability in runC, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered and reported by Adam Iwaniuk and Borys Poplawski in early January and published as CVE-2019-5736 on 11 February 2019. This vulnerability is highly significant in that it: enables container isolation breakout with minimal interaction from an authorized host user; typically allows an attacker to obtain root privileges on the host; negatively impacts most container environments because many containers run with default Docker security settings and default user (UID 0); and affects runC, the most commonly used low-level container runtime in Docker and Kubernetes environments.

StackRox is All In on Kubernetes – and It Makes Your Container Security Better

StackRox is All In on Kubernetes – and It Makes Your Container Security Better

In a news release today, we detailed new capabilities in the latest version of the StackRox Kubernetes Security Platform that enable better visibility, more nuanced risk profiling, and more streamlined network policy enforcement. In every case, these new features derive directly from our deep integrations with Kubernetes. About a year ago, we faced a difficult decision – continue our support of a broad array of orchestrator platforms or narrow our focus to supporting just Kubernetes.

StackRox – Putting the Customer at the Center of Kubernetes Security

StackRox – Putting the Customer at the Center of Kubernetes Security

When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.

Must-Have Capabilities When Evaluating Container Security Solutions

Must-Have Capabilities When Evaluating Container Security Solutions

More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.

Top 5 Container and Kubernetes Security Posts of 2018

Top 5 Container and Kubernetes Security Posts of 2018

The year 2018 was a watershed for containers, container security, and Kubernetes. Tesla got hacked, the most critical Kubernetes vulnerability to date was discovered, IBM bought RedHat for $34 billion (in large part for OpenShift), VMware bought Heptio for more than $500 million, and investors poured money into container technology startups at an ever-increasing pace. The Following five blog articles capture and distill the big picture trends in container adoption and Kubernetes security in 2018.

Survey Says … Security Tops the List of Container Strategy Concerns

Survey Says … Security Tops the List of Container Strategy Concerns

This week StackRox launched the industry’s first ever State of Container Security report. To compile the findings, we surveyed more than 230 IT leaders across operations and security roles. Some responses came as no surprise – the dominance of Docker and Kubernetes, for example, or the breadth of industries using containers to accelerate application roll out. But many results did surprise us – including the extent to which security leads the list of concerns about companies’ container strategies.

Why We Chose StackRox - Guest Post and Video from Mux

Why We Chose StackRox - Guest Post and Video from Mux

Today we posted the news that we’ve adopted StackRox to secure our environment. I wanted to share a bit about our thought process and results in hopes of helping others like us. Security is difficult to manage at every level of technology development, from building a simple web app to running enormous platforms like the tech giants manage — recent tech headlines just prove this point. Like other early-stage SaaS startups, we here at Mux face the combined challenges of having limited resources, a relatively large technology footprint, and the obvious focus on building strong product features.

New and Improved! Our Updated Container Security Platform

New and Improved! Our Updated Container Security Platform

The StackRox Kubernetes Security Platform Today we announced that we will release an updated version of the StackRox Kubernetes Security Platform later this month. As we continue to lead the industry in container security innovation, we are excited to detail our new capabilities. Over the past nine months or so since we started shipping our software, we have seen a few consistent patterns among our enterprise customers. These organizations remain focused on reducing the attack surface across their container environments, and addressing orchestrator-based threats are a key part of that initiative.

Gartner on Delivering DevOps Risk-Prioritized Vulnerability Guidance

Gartner on Delivering DevOps Risk-Prioritized Vulnerability Guidance

We recently highlighted Gartner’s advice to “shift right” with security, to avoid burdening developers from a security standpoint. Gartner analyst Dale Gardner continued that theme with this opening slide to his talk advising teams to “Fix What Matters” in the area of vulnerabilities. Dale noted that we excel at finding vulnerabilities, leading to the garbage heap analogy. “We end up with this graveyard of multiple vulnerability reports,” Dale observed. Bringing this world view into container security doesn’t make this problem any easier – indeed, now you have more “things” to secure.

StackRox at BSidesSF 2018

StackRox at BSidesSF 2018

We’re gearing up (pun intended) for an exciting time next week in San Francisco, and we’re thrilled to kick it off on Sunday at BSidesSF at City View in the Metreon. We’re proud to sponsor and support this event – an amazing grassroots effort that unites the information security community to share knowledge. With this year’s steampunk theme, the conference promises to deliver inspirational talks, stimulating discussions, and of course, evenings filled with entertaining discourse and delectable libations.

Detecting Docker Exploits and Vulnerabilities - Your How-to Guide

Detecting Docker Exploits and Vulnerabilities - Your How-to Guide

There has never been a better time to be a DevOps engineer. Compared to traditional web stacks, containerization has dramatically streamlined the task of deploying web services such as databases, key/value stores, and servers. Furthermore, container orchestration tools, like Google’s Kubernetes and Docker Swarm, enable organizations to automate the deployment and management of these containerized applications. But the tools that make life easier and more efficient for engineers can also be a gift to an attacker.

Introducing StackRox Prevent: Reimagining Container Deployment Security to Minimize Your Attack Surface

Introducing StackRox Prevent: Reimagining Container Deployment Security to Minimize Your Attack Surface

Security leaders today are charged with the increasingly complex task of defending the technology that powers modern enterprises, at a time when the software stack has never been more diverse or unmanageable. Implementing a coherent security program can seem daunting in light of the patchwork of duties that may fall under a security organization’s purview: static code analysis, identity and access management, compliance, data privacy and integrity, vulnerability management, monitoring, incident response, threat hunting, forensics…and the list continues.