Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2019
10:30 AM
Kamal Shah
Kamal Shah
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security at the Speed of DevOps: Maturity, Orchestration, and Detection

Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.

Containerized environments, central to digital transformation, have become mainstream with notable speed. Cloud-native architecture and microservices-based applications are critical to enabling companies to move fast. To move quickly with safety, companies must accelerate the maturity of their container security strategies and implementations.

As production deployments pick up speed, security gaps become evident, presenting immediate risk to businesses. We already know that traditional security tooling and products don't work to secure containers and microservices. As a result, most companies with container deployments are concerned about insufficient security strategies and investments and are looking to new companies for purpose-built solutions.

Along with deploying new container security platforms, companies realize they must also leverage the security capabilities and architectures inherent to cloud-native, containerized ecosystems. Container and microservices technologies, like Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design. The best security platform for these technologies will tap into the power of the full ecosystem rather than add on a range of security functions separate from the infrastructure.

New Challenges and Strategic Shifts
Containerized environments are inherently more secure when built and used properly. But it takes experience with these systems to configure and run them securely. Often, the security team is not experienced with containers or Kubernetes. Many companies are rethinking their security roles and responsibilities in light of container adoption.

Strengthening Kubernetes security is one of the most fundamental things an organization can to do to protect containerized applications. Kubernetes has become the orchestrator of choice for most container deployments. Part of what makes it a powerful solution is the degree to which you can exert control with it, but with many "knobs" to tune comes the potential for mistakes. If you don't set it up right, with the dashboard protected and role-based access control implemented, you can introduce business risk through unnecessary exposure. Also, Kubernetes is becoming a target because it's widely adopted.

We recommend time spent on protection and hardening — Kubernetes includes a lot of moving parts, and given its role in application development, the question arises as to which team should secure it.

DevOps Gets Closer to Security
With the rise of cloud services and cloud-native architectures, the CIO's team has shifted from providing and running infrastructure to enabling applications. And now, with containerization, the security team is making a similar shift, enabling rather than operating security functions. That's because as security necessarily moves closer to the application, it enters DevOps' domain. Because of their expertise and central role in building, testing and deploying applications, DevOps team members must take responsibility for protecting those applications and their infrastructure. Security teams likely will still define policies and put guardrails in place, but DevOps increasingly will operate the security tools closest to containerized applications.

DevOps also has the know-how to build security into the infrastructure earlier in the software development life cycle. Resilience and agility can be improved through the granularity of container technology. In cloud-native environments, the control layer and data plane are interwoven; you can write in a layer of logic to create continuous, instantaneous enforcement.

Containers and microservices give you the ability to make changes — including security fixes — on a nearly continuous basis. To fix an issue, simply replace a bad image with a good one, kill the affected containers, and when those containers rebuild, they'll automatically use updated images. This way, you can address security gaps without breaking the entire application.

By weaving security solutions into the infrastructure and closer to the application, DevOps can give hackers quite a headache. If they succeed at infiltrating, bad actors typically are limited to seeing what's in just a single container — broadening the attack means they have to replicate their intrusive maneuvers multiple times.

Given the inherent security constructs of containers, security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling, such as using Kubernetes for network policy enforcement.

Work Smarter
Intelligent, actionable, built-in visibility and control should be an integral part of any responsible security model. That's already a tall order. With container technology, we add a portability requirement. For businesses trying to operationalize and secure containers across hybrid and multicloud deployments, the security model has to be at once holistic, highly portable, and deeply integrated. Hygiene, vulnerability management, and prevention are hallmarks of today's security efforts.

As more vital infrastructure is built using containerized and cloud-native models, we need to shift our focus to detection. 

Vulnerability scanning and hardening are still important, but to do anything about runtime attacks, you need detection capabilities. And you can't remediate manually — systems designed to scale up and out rapidly and iterate frequently, as containers do, require automation and machine learning. Kubernetes and containers provide the capability to automate the execution of a specific response to everything that is detected. The most effective security solutions will be those that make actionable detection possible — and eliminate counterproductive streams of alerts.

There's much more to come. We're at an exciting intersection of possibilities thanks to the convergence of containers, orchestrators, microservices, and DevOps capabilities. If we harness the momentum, we can advance standards, cultivate the portability and integration of security, encourage collaboration, and make the strategic investment to build holistic, sustainable systems that protect our digitally transformed world.

Related Content:

 

Kamal Shah brings more than 20 years of experience identifying new markets, creating category-defining products that delight customers, and building large businesses to his role as CEO of StackRox. Previously, Kamal was SVP of products and marketing at Skyhigh Networks, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5521
PUBLISHED: 2020-01-27
The kantan netprint App for iOS 2.0.2 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2020-5522
PUBLISHED: 2020-01-27
The kantan netprint App for Android 2.0.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2017-14806
PUBLISHED: 2020-01-27
A Improper Certificate Validation vulnerability in susestudio-common of SUSE Studio onsite allows remote attackers to MITM connections to the repositories, which allows the modification of packages received over these connections. This issue affects: SUSE Studio onsite susestudio-common version 1.3....
CVE-2017-14807
PUBLISHED: 2020-01-27
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in susestudio-ui-server of SUSE Studio onsite allows remote attackers with admin privileges in Studio to alter SQL statements, allowing for extraction and modification of data. This issue affects: S...
CVE-2019-6036
PUBLISHED: 2020-01-27
Cross-site scripting vulnerability in F-RevoCRM 6.0 to F-RevoCRM 6.5 patch6 (version 6 series) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.