Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2019
10:30 AM
Kamal Shah
Kamal Shah
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security at the Speed of DevOps: Maturity, Orchestration, and Detection

Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.

Containerized environments, central to digital transformation, have become mainstream with notable speed. Cloud-native architecture and microservices-based applications are critical to enabling companies to move fast. To move quickly with safety, companies must accelerate the maturity of their container security strategies and implementations.

As production deployments pick up speed, security gaps become evident, presenting immediate risk to businesses. We already know that traditional security tooling and products don't work to secure containers and microservices. As a result, most companies with container deployments are concerned about insufficient security strategies and investments and are looking to new companies for purpose-built solutions.

Along with deploying new container security platforms, companies realize they must also leverage the security capabilities and architectures inherent to cloud-native, containerized ecosystems. Container and microservices technologies, like Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design. The best security platform for these technologies will tap into the power of the full ecosystem rather than add on a range of security functions separate from the infrastructure.

New Challenges and Strategic Shifts
Containerized environments are inherently more secure when built and used properly. But it takes experience with these systems to configure and run them securely. Often, the security team is not experienced with containers or Kubernetes. Many companies are rethinking their security roles and responsibilities in light of container adoption.

Strengthening Kubernetes security is one of the most fundamental things an organization can to do to protect containerized applications. Kubernetes has become the orchestrator of choice for most container deployments. Part of what makes it a powerful solution is the degree to which you can exert control with it, but with many "knobs" to tune comes the potential for mistakes. If you don't set it up right, with the dashboard protected and role-based access control implemented, you can introduce business risk through unnecessary exposure. Also, Kubernetes is becoming a target because it's widely adopted.

We recommend time spent on protection and hardening — Kubernetes includes a lot of moving parts, and given its role in application development, the question arises as to which team should secure it.

DevOps Gets Closer to Security
With the rise of cloud services and cloud-native architectures, the CIO's team has shifted from providing and running infrastructure to enabling applications. And now, with containerization, the security team is making a similar shift, enabling rather than operating security functions. That's because as security necessarily moves closer to the application, it enters DevOps' domain. Because of their expertise and central role in building, testing and deploying applications, DevOps team members must take responsibility for protecting those applications and their infrastructure. Security teams likely will still define policies and put guardrails in place, but DevOps increasingly will operate the security tools closest to containerized applications.

DevOps also has the know-how to build security into the infrastructure earlier in the software development life cycle. Resilience and agility can be improved through the granularity of container technology. In cloud-native environments, the control layer and data plane are interwoven; you can write in a layer of logic to create continuous, instantaneous enforcement.

Containers and microservices give you the ability to make changes — including security fixes — on a nearly continuous basis. To fix an issue, simply replace a bad image with a good one, kill the affected containers, and when those containers rebuild, they'll automatically use updated images. This way, you can address security gaps without breaking the entire application.

By weaving security solutions into the infrastructure and closer to the application, DevOps can give hackers quite a headache. If they succeed at infiltrating, bad actors typically are limited to seeing what's in just a single container — broadening the attack means they have to replicate their intrusive maneuvers multiple times.

Given the inherent security constructs of containers, security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling, such as using Kubernetes for network policy enforcement.

Work Smarter
Intelligent, actionable, built-in visibility and control should be an integral part of any responsible security model. That's already a tall order. With container technology, we add a portability requirement. For businesses trying to operationalize and secure containers across hybrid and multicloud deployments, the security model has to be at once holistic, highly portable, and deeply integrated. Hygiene, vulnerability management, and prevention are hallmarks of today's security efforts.

As more vital infrastructure is built using containerized and cloud-native models, we need to shift our focus to detection. 

Vulnerability scanning and hardening are still important, but to do anything about runtime attacks, you need detection capabilities. And you can't remediate manually — systems designed to scale up and out rapidly and iterate frequently, as containers do, require automation and machine learning. Kubernetes and containers provide the capability to automate the execution of a specific response to everything that is detected. The most effective security solutions will be those that make actionable detection possible — and eliminate counterproductive streams of alerts.

There's much more to come. We're at an exciting intersection of possibilities thanks to the convergence of containers, orchestrators, microservices, and DevOps capabilities. If we harness the momentum, we can advance standards, cultivate the portability and integration of security, encourage collaboration, and make the strategic investment to build holistic, sustainable systems that protect our digitally transformed world.

Related Content:

 

Kamal Shah brings more than 20 years of experience identifying new markets, creating category-defining products that delight customers, and building large businesses to his role as CEO of StackRox. Previously, Kamal was SVP of products and marketing at Skyhigh Networks, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.