Earlier today, the CyberEdge Group published its 6th annual Cyberthreat Defense Report. The report includes a variety of interesting findings, which we’ll detail below. But the section of the report I found most interesting comes after all the survey results. “The Road Ahead” chapter offers advice on areas of security that need “proactive attention and investment.” The authors took great time and care to lay out the advanced capabilities needed to secure containers, citing:
Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.
Like the “participation” trophy every kid on the soccer team wins in kindergarten, some industry awards just don’t carry much clout. The SC Magazine awards? Now that’s a different story. These awards, announced in conjunction with the RSA Conference every year, bestow a huge amount of prestige on the companies and technologies they celebrate. The award submissions are incredibly competitive, and I know of many companies who try year after year to win and fall short.
This morning, a new security issue that affects nearly every version of Kubernetes was disclosed by the Kubernetes Product Security Team (CVE-2019-1002100). It is medium severity, and Kubernetes administrators are advised to first check and limit role-based permissions on Kubernetes users. Container infrastructure maintainers should subsequently consider upgrading the Kubernetes API server to a recently patched version. Vulnerability Summary CVE-2019-1002100 is a denial of service (DoS) vulnerability that exists in the Kubernetes API server, allowing users with certain write permissions on the Kubernetes API to make write requests that cause the API server to utilize excessive resources.
Today we introduced a slew of new compliance capabilities, including support for NIST, PCI, and HIPAA. As we’ve talked with customers about the functionality they need, a few key trends have emerged that informed how we designed our StackRox Kubernetes Security Platform to support compliance. We love how one customer reacted to our new features: StackRox gives us the ability to demonstrate our adherence to HIPAA at all times, helping us avoid audit-induced anxieties.
A vulnerability in runC, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered and reported by Adam Iwaniuk and Borys Poplawski in early January and published as CVE-2019-5736 on 11 February 2019. This vulnerability is highly significant in that it: enables container isolation breakout with minimal interaction from an authorized host user; typically allows an attacker to obtain root privileges on the host; negatively impacts most container environments because many containers run with default Docker security settings and default user (UID 0); and affects runC, the most commonly used low-level container runtime in Docker and Kubernetes environments.
StackRox has pioneered the industry’s most innovative security solution for Kubernetes and containers. Today we’re proud to announce that we’ve won in the Most Innovative Company category of the Cybersecurity Excellence Awards. This award recognizes our relentless drive to enable secure Kubernetes and container environments and protect our customers’ vital cloud-native applications. The 2019 Cybersecurity Excellence Awards honor companies, individuals, and products that innovate in information security. What’s unique about this award is that it relies on validation from the information security community.
In a news release today, we detailed new capabilities in the latest version of the StackRox Kubernetes Security Platform that enable better visibility, more nuanced risk profiling, and more streamlined network policy enforcement. In every case, these new features derive directly from our deep integrations with Kubernetes. About a year ago, we faced a difficult decision – continue our support of a broad array of orchestrator platforms or narrow our focus to supporting just Kubernetes.
When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.
More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.
In 2018, we learned about several Kubernetes security vulnerabilities, with the latest Kubernetes security flaw being the most severe. The last few Kubernetes releases have both introduced new security features and also provided critical security patches to help resolve some of the most impactful Kubernetes security issues and shortcomings to date. As you start the new year, take a look at the version of your Kubernetes clusters. If you are still using an older version, we highly recommend you promptly upgrade to the latest release.