Today we posted the news that we’ve adopted StackRox to secure our environment. I wanted to share a bit about our thought process and results in hopes of helping others like us.
Security is difficult to manage at every level of technology development, from building a simple web app to running enormous platforms like the tech giants manage — recent tech headlines just prove this point. Like other early-stage SaaS startups, we here at Mux face the combined challenges of having limited resources, a relatively large technology footprint, and the obvious focus on building strong product features. The simultaneous need to keep things secure can put a strain on product velocity.
When we started feeling that strain more acutely, we went looking for outside help. For us, StackRox fit our needs perfectly — it helped us keep focusing engineering time on the product features we specialize in while also keeping us secure.
We deploy entirely with containers in Kubernetes, so we wanted a security system that could drop in with as little friction as possible and provide the greatest value. An integration that would take months was a non-starter for us, nor could we commit to a solution that covers only part of our infrastructure. We have limited engineering resources, so we needed a solution that quickly drops into an existing Kubernetes deployment.
Security is part of our product — our customers trust us to keep both their data and media secure. However, security is one of the easiest things to let slide when you’re trying to ship quality software on an aggressive schedule. Unfortunately, security often isn’t a problem until it is too late. To keep security from falling to the wayside, you must make it part of the engineering culture. Here at Mux, we follow three philosophies to solidify this mindset within our engineering team:
- Best Practices
- State of Mind (ethos)
We found that StackRox complemented each of these areas, often reducing our engineering overhead while also enhancing our overall system security. I’ll share some thoughts on each of these areas.
Best practices are the foundation of building a software product. They include things like the principle of least privilege and network isolation — the things you “just do” and that are typically obvious. However, as things scale and complexity grows, it becomes easier and easier to make that one little configuration mistake that leaves your system vulnerable. StackRox provides an excellent policy enforcement system that constantly observes the Kubernetes deployment configurations and lets you take action before any misconfiguration ever makes it to a production environment.
State of Mind (Ethos)
The idea here is that security should be considered for every line of code written. Just like code correctness, performance, and testing, the security implications of a changeset should always be considered before it is ready to move to production. This principle applies to the code review process as well — among the many checkboxes in that process, security is one of the most important. However, for us here at Mux, we are concerned about more than just the code that we produce. We rely on many third-party libraries and containers. The StackRox ability to scan and report on vulnerabilities found in Docker containers, while hooking into our CI system, is very powerful in stopping vulnerabilities from making it into production.
Of course, you can never achieve perfect security. It would be impossible to fix every single CVE in every container running in production. Our goal is to assess our current level of risk and prioritize what fixes to focus on. And in the case that something is exploited, we want to know as soon as possible so we can mitigate it. These factors were ultimately the most compelling reasons we chose StackRox as a security provider. Within minutes of deploying the StackRox system into our Kubernetes clusters, we had a real-time view of our current risk level and a prioritized list of images we needed to fix. Also, from both a security and technology standpoint, one of the coolest features of StackRox is its real-time detection element. In addition to the application monitoring and logging we already run, we rely on StackRox for real-time monitoring, detection, and alerting of anomalous behaviour in our K8s clusters. This protection is especially important for a service like we run here at Mux, where we ingest user-generated media files from all over the Internet.
The ability of StackRox to support our three primary principles of security was foundational to choosing it as our container security solution. The fact that we could also drop it in with no changes to our infrastructure and no drain on staff resources made the choice easy. In short, we found StackRox to be the most comprehensive and feature-rich security solution with the most seamless integration into and best protection for Kubernetes deployments. We’re excited to partner with StackRox on this business-critical initiative.