Posts under Container Security
Kubernetes is a powerful tool for building highly scalable systems. As a result, many companies have begun, or are planning, to use it to orchestrate production services. Unfortunately, like most powerful technologies, Kubernetes is complex. How do you know you’ve set things up correctly and it’s safe to flip the switch and open the network floodgates to your services? We’ve compiled the following checklist to help you prepare your containers and kube clusters for production traffic.
Greetings from the Red Hat Summit in Boston! We had a great time at OpenShift Commons yesterday, and today we’re talking to folks about some joint news between StackRox and Red Hat – the StackRox Kubernetes Security Platform is now available as a Red Hat certified container, and customers can get our software through the Red Hat Container Catalog. This certification makes it easier for OpenShift customers to access enhanced security and compliance capabilities that complement Red Hat’s Kubernetes platform.
What happened? In an email to customers, Kent Lamb, Director of Docker Support, wrote “During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.” As a result of this breach, it’s possible that images in your Docker Hub repository may have been tampered with or overwritten.
We’re excited to announce today that we’ve added support for the latest version of the Google Cloud Security Command Center (Cloud SCC). StackRox has collaborated with the Cloud SCC team as part of our Google Cloud partnership since Cloud SCC’s alpha release, and we’re excited that the platform is now generally available. The StackRox Kubernetes Security Platform enables customers to meet their security and compliance requirements across the container lifecycle, and we’ve integrated deeply with Kubernetes to deliver the key capabilities essential to an effective container security solution.
Like the “participation” trophy every kid on the soccer team wins in kindergarten, some industry awards just don’t carry much clout. The SC Magazine awards? Now that’s a different story. These awards, announced in conjunction with the RSA Conference every year, bestow a huge amount of prestige on the companies and technologies they celebrate. The award submissions are incredibly competitive, and I know of many companies who try year after year to win and fall short.
Today we introduced a slew of new compliance capabilities, including support for NIST, PCI, and HIPAA. As we’ve talked with customers about the functionality they need, a few key trends have emerged that informed how we designed our StackRox Kubernetes Security Platform to support compliance. We love how one customer reacted to our new features: StackRox gives us the ability to demonstrate our adherence to HIPAA at all times, helping us avoid audit-induced anxieties.
A vulnerability in runC, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered and reported by Adam Iwaniuk and Borys Poplawski in early January and published as CVE-2019-5736 on 11 February 2019. This vulnerability is highly significant in that it: enables container isolation breakout with minimal interaction from an authorized host user; typically allows an attacker to obtain root privileges on the host; negatively impacts most container environments because many containers run with default Docker security settings and default user (UID 0); and affects runC, the most commonly used low-level container runtime in Docker and Kubernetes environments.
In a news release today, we detailed new capabilities in the latest version of the StackRox Kubernetes Security Platform that enable better visibility, more nuanced risk profiling, and more streamlined network policy enforcement. In every case, these new features derive directly from our deep integrations with Kubernetes. About a year ago, we faced a difficult decision – continue our support of a broad array of orchestrator platforms or narrow our focus to supporting just Kubernetes.
When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.
More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.
The year 2018 was a watershed for containers, container security, and Kubernetes. Tesla got hacked, the most critical Kubernetes vulnerability to date was discovered, IBM bought RedHat for $34 billion (in large part for OpenShift), VMware bought Heptio for more than $500 million, and investors poured money into container technology startups at an ever-increasing pace. The Following five blog articles capture and distill the big picture trends in container adoption and Kubernetes security in 2018.
The advent of containers has not only made application development and deployment simpler, scalable, and portable but also enabled more inherent security compared to traditional application development technologies and methodologies. You can leverage many inherent security advantages as you move applications to containers – even if you’re porting a monolithic app and not yet adopting microservices. With containers, you can: Minimize your attack surface much more effectively than is possible with a virtual machine (VM) or bare metal server by reducing functionality in the container to the bare minimum set of processes, image components, filesystem access, and other settings.
This week StackRox launched the industry’s first ever State of Container Security report. To compile the findings, we surveyed more than 230 IT leaders across operations and security roles. Some responses came as no surprise – the dominance of Docker and Kubernetes, for example, or the breadth of industries using containers to accelerate application roll out. But many results did surprise us – including the extent to which security leads the list of concerns about companies’ container strategies.
Today we posted the news that we’ve adopted StackRox to secure our environment. I wanted to share a bit about our thought process and results in hopes of helping others like us. Security is difficult to manage at every level of technology development, from building a simple web app to running enormous platforms like the tech giants manage — recent tech headlines just prove this point. Like other early-stage SaaS startups, we here at Mux face the combined challenges of having limited resources, a relatively large technology footprint, and the obvious focus on building strong product features.
We’re excited to share the news today that we’ve entered into a technology development and strategic investment agreement with In-Q-Tel (IQT). For nearly 20 years, IQT has been critical to driving cutting-edge technology into the U.S. Intelligence Community. The not-for-profit investor identifies innovative security startups and connects them with U.S. government agencies chartered with keeping the United States safe. In choosing to partner with StackRox, IQT has signaled the criticality of containers in driving application innovation today and the advanced security StackRox provides for these environments.
We were pleased to present at Google Cloud Next 2018 at the request of Allan Naim, a Kubernetes Engine product manager at Google. In our talk, we highlighted reference architectures for container security and technical demos of attack vectors in the ecosystem. Our talk centered around architectures for FinTech companies running on Google Kubernetes Engine (GKE), but anyone running containers and Kubernetes can leverage the findings we’ll review here.