Most organizations have a DevSecOps initiative and responsibility for container security continues to evolve and remains decentralized. These are two of the findings from our latest report on the state of container and Kubernetes security (Download your copy today). We’re kicking off the fourth edition of our State of Kubernetes and Container Security Report (Fall 2020 edition) by examining how companies are adopting containers, Kubernetes, and cloud-native technologies while meeting the challenges of securing their vital Kubernetes applications.
To understand how to effectively secure your Kubernetes environments, it is informative to understand the architecture of Kubernetes itself as well as where and how to focus efforts on valuable mitigations, especially those which require administrator or user configuration when provisioning clusters. Kubernetes is a robust yet complex infrastructure system for container orchestration, with multiple components that must be adequately protected. Each Kubernetes cluster consists of two sets of components: (1) the control plane which is used to manage operations throughout the cluster, and (2) the cluster’s worker nodes which run containerized applications in pods.
We were already having a great day yesterday – responding to all the congratulations messages on our funding, our huge 240% increase in revenue, and our customer momentum – when news hit that we were named amongst that select group of SINET 16 Innovator Award winners. Wow. The tally of security vendors hovers around 2500, and we’re called out as one of the 16 most innovative across that entire landscape. This recognition is just one more indicator of the power of our unique approach to securing cloud-native infrastructure.
Today we’re excited to announce our $26.5M round of funding led by Menlo Ventures, with participation from Highland Capital Partners and Hewlett-Packard Enterprise along with existing investors Redpoint Ventures and Sequoia Capital. The influx of capital will enable us to meet rapidly growing demand driven by two of the biggest trends in IT and Security — Kubernetes and DevSecOps — and deliver on our vision to enable organizations to securely build, deploy, and run cloud-native applications anywhere.
The final part of our nine-part blog series – where we examine each of the nine MITRE ATT&CK tactics and techniques for Kubernetes – analyzes a set of techniques that fall under the category known as Impact. These techniques are aimed at disrupting or destroying resources and activity within the target environment, or in other words, the ultimate goal of an attacker. These include techniques to achieve data destruction, resource hijacking or denial of service.
Securing pods, and the containers that run as part of them, is a critical aspect of protecting your Kubernetes environments. Among other reasons, pods and containers are the individual units of compute that are ultimately subject to adversarial techniques that may be used as part of any attack on your Kubernetes clusters. Since pods are also the smallest resource you can deploy and manage in Kubernetes, applying security at this level ensures greater fine-grained controls that are scoped to individual application components.
The eighth installment in our nine-part blog series – where we examine each of the nine MITRE ATT&CK tactics and techniques for Kubernetes – examines lateral movement. Following a breach, an attacker might try to move throughout the environment to gain access to other resources, including other containers, nodes, or cloud resources. This blog post covers the set of techniques an attacker can employ to achieve lateral movement and offers guidance to mitigate them.
I’ve had the good fortune to get to know Pathik Patel, head of cloud security at Informatica, over the past 18 months since he became a StackRox customer, and today we’re sharing the news of our joint success story. Across our numerous conversations, he has repeatedly impressed me with his forward thinking on how to innovate security processes, approaches, and tooling to keep Informatica at the forefront of securely enabling sophisticated data management, detailed in this case study.
Many applications rely on gRPC to connect services, but a number of modern load balancers still do not support HTTP/2, and, in turn, gRPC. In an earlier blog post, we showed a way to take advantage of the gRPC-Web protocol to circumvent this issue. That solution works well for non-client-streaming gRPC calls — with this new approach, we can support client/bidirectional-streams. In our earlier writing, we briefly mentioned that WebSockets may actually help us resolve our client/bidi-streaming problem.
The last several months have been a busy time for the Kubernetes community, and especially the Kubernetes release team, amid the challenges caused by the ongoing pandemic. The Kubernetes project itself has felt the impact, with the upcoming release of version 1.19 having been postponed and the project’s release schedule adjusted to accommodate the ongoing disruption to people’s lives. Only three new Kubernetes versions, instead of the usual four, will be released this year, and it is unclear whether this will be a permanent change going forward.
I’m very pleased to announce the launch of StackRox’s EMEA business, with my new role as vice president, international. Why StackRox, why now? Having spent the first half of my career evangelising the Cloud and the second half Cyber Security, I’m super excited to help cloud-native companies to secure and accelerate their business transformation and DevOps initiatives with StackRox. The boom of cloud-native start-ups here in London and across Europe has been largely assisted by the massive adoption of containers and Kubernetes - StackRox is building here at the right time to help enable this digital wave.