Container Security A GUIDE FOR BUYERS
Stay on top of the IT industry
Subscribe to ITOps Times Weekly News Digest to get the latest news, news analysis and commentary delivered to your inbox. • Reports on the technologies affecting IT Operators — APM, Data Center Optimization, Multi-Cloud, ITSM
and Storage
• Insights into the practices and innovations reshaping
IT Ops such as AIOps Automation, Containers, DevOps,
Edge Computing and more
• The latest news from the IT providers, industry consortia, open source projects and research institutions
Subscribe today to keep up with everything happening in the IT Ops industry. www.ITOpsTimes.com
Container Security a guide for buyers
Contents
Container security: Moving parts mean more complexity page 4
A Guide to container security tools page 11
Containing app vulnerabilities
How does WhiteSource help companies secure their containers?
“Doomsday” flaw discovered in RunC underscores potential for critical container vulnerabilities
9 security best practices for Kubernetes you should be following
page 6
page 10
page 12
page 14
June 2019
3
Container Security:
Moving parts mean more complexity
By Jenna Sargent
Containers have been gaining in popularity as more and more companies are recognizing the benefits. but with new technology comes new responsibility. securing those containers is crucial. Compared to monolithic applications, containers have a lot more moving parts, amy deMartine, principal analyst at forrester, explained. This is one of the reasons why developers love them so much, but it also makes securing them more complicated.
4 June 2019
“instead of one big monolithic application, now you’ve got lots of little applications talking to each other and possibly doing things you don’t want them to do,” said deMartine. “and because developers can put anything inside, it’s the mystery meat inside that container that is the biggest security risk.” because of the complex nature of containers, there are additional security measures that must be taken, in addition to securing the host. according to shiri ivtsan, product manager at Whitesource, beyond securing the host, oper-
ators must maintain standard configurations and container profiles in order to keep them secure. according to ivtsan, container security should be considered throughout the development life cycle. in that regard, it’s no different than securing any other application. it needs to be considered from the research stage — which includes understanding which architecture and components to use — through the build stage and then the deployment stage, ivtsan explained. Many hackers tend to go after the things that are easiest to gain access
to. This makes containers particularly vulnerable, because containers are still a relatively new technology and may not have strict security measures yet. However, deMartine notes that attackers aren’t going specifically after containers. but they may be exposed during a ‘spray and pray’ attack, where attackers are just trying to get into anything that they can. “Containers can give a lot of information out about themselves if they’re not properly configured, if the environment isn’t properly configured,” deMartine said. “They can give a lot of information out about what
they are exposing to the world, especially in terms of aPis.” in addition, the fact that they share the same resources, in terms of CPu and memory, is one of the main reasons that they are targets for cryptocurrency mining, ivtsan explained. “We see the vulnerabilities are on the rise, and this is making container security a lot more enhanced,” said ivtsan. “The hackers are getting more knowledge about how to exploit different vulnerabilities in containers.” a major vulnerability was recently detected in the open-source project runC, which is used to power almost all container technologies, said ivtsan. runC was discovered to have had a remote code execution risk because of a container breakout vulnerability that could provide an attacker with root access to the targeted host. This is accomplished by overwriting the host’s runC binary, ivtsan said. another recent issue is the breach of dockerHub. according to deMartine, comments that she’s heard from users are that the response to the breach wasn’t great, and that they didn’t come out and address the breach in a big way. “it also made everyone realize that docker is pretty much the same as everybody else. They’re just another vulnerable component, a part of the software delivery life cycle.” deMartine believes that the dockerHub breach will make users take a look at where they are storing their data and registries and maybe finding a more secure location for them. These security incidents, combined with new legislation such as the gdPr and California Consumer Privacy act, may also be making users more aware. “Legislation, certifications, and breaches are all kind of coming together to say ‘Hey, what you thought was safe is probably not. you need to be more mindful.’” deMartine explained that the first step most organizations take when it comes to container security is to perform a scan to ensure that there’s noth-
ing vulnerable inside. This also ensures that they know what’s in it, so that when vulnerabilities are disclosed, they are able to remediate the issue quickly, she explained. she also explained than many of these technologies have sidecar containers that look for malicious or odd behavior. “i think what we’re seeing as we move to serverless is i think sidecar containers will become libraries that you just insert into the container more and more so that it transfers over into serverless. so i think container security is actually going to bleed into serverless security.” There are several steps that need to be taken in order to secure containers, but open-source vulnerabilities may be the most critical aspect, ivtsan believes. “since most container-related elements are open source (docker, Kubernetes and the underlying infrastructure), it’s specifically important to scan your vulnerabilities in order to detect open-source vulnerabilities.” scanning should be done across the software life cycle. according to ivtsan, it is important for there to be awareness within the organization and cooperation between developer teams, devops teams, iT teams, and security teams. Though that collaboration is important, it’s also important that there be a dedicated member of the devops team who ensures there are security measures, and also that those measures don’t slow down the development process, ivtsan explained. “We need to understand that this is an ongoing process,” said ivtsan. “from the very early stages of the development, all the way to the actual deployment. once you’ve implemented the right processes in your organization, it will be a lot easier to maintain it.” ivtsan recommends that organizations first set a security gate with Ci/Cd because that is where functional tests are done. security tests should be added there that will make continued on page 7 >
June 2019
5
Containing App Vulnerabilities By Jeffrey Schwartz
The allure of modern software architectures based on containers and microservices are their potential to enable business transformation efforts, but like any new technology, security is a key barrier to widespread implementation. However, new tools and evolving software frameworks promise to tackle that key hurdle. shifting from current monolithic software to containerization is compelling because it enables agile development and runtime environments that aren’t tied to specific hardware or platforms. Likewise, since they encapsulate any number of microservices that are called upon only as needed, containers are also appealing because developers can easily swap out individual microservices without rebuilding an app or impacting the infrastructure. The market for application containers this year is forecast to reach $1.5 billion this year and is expected to grow to $2.6 billion by 2020, according to 451 research. While that represents a small percentage of cloud-enabling software, application containers are the fastest growing segment. experts have found that especially remarkable, considering that the market first took shape five years ago when docker open-sourced key components of its container runtime and gathered widespread industry support.
Coalescing Around Kubernetes
Now there’s a common baseline for container management and security with the industry coalescing around Ku-
6 June 2019
bernetes, the open-source orchestration system for automating the deployment of containerized software. Kubernetes was developed by google and contributed to the open source community three years ago. it is now maintained by the Cloud Native Computing foundation (CNCf), which has joined forces with the open Container initiative (oCi), resulting in the rapid broad support by the software industry. While google Kubernetes engine (gKe) has been around for some time, amazon Web services’ elastic Kubernetes service (eKs) and Microsoft’s azure Kubernetes service (aKs) became generally available last month. That
widens the playing field now that the two most widely used public clouds offer managed Kubernetes services. it also enables various hybrid cloud management scenarios such as red Hat’s openshift Container Platform, which is Kubernetes-based, and the Pivotal Kubernetes service (PKs) that’s built on the open-source Kubo distribution. other container orchestration platforms such as Mesosphere and rancher, also support Kubernetes. However, docker’s own orchestration tool, swarm, is built with a different architecture and does not lend itself to Kubernetes. by most accounts, docker, which introduced swarm several years
Container Security: Moving parts mean more complexity ago, was blindsided by the rapid and widespread industry support for Kubernetes. The docker engine is still a key component of container environments and is included in the latest version of Windows server, released in 2016. Last year, a docker update enabled its container engine to run in Windows and Linux clusters. docker also claims 1 million new developers have started using its Windows and Mac desktop gui. despite the shift to Kubernetes, swarm still has a place among those using docker’s tools. “docker does not position it as an either-or decision that has to be made between swarm and Kubernetes,” said gartner analyst Tony iams. “swarm is a great way to get started with container orchestration and then you graduate to Kubernetes.” although some shops may start off with docker swarm, the company has acknowledged that it needed to provide support for Kubernetes-based orchestration and security. The new docker enterprise edition 2.0, previewed last fall and released in april, now supports both swarm and Kubernetes orchestration.
Security Improvements to Docker EE
among the security improvements docker ee 2.0 now offers include guibased workflows to enable role-based access Control (rbaC), cluster and registry management and secure application zones that physically separate applications within a single cluster. The new docker ee also provides a CNCf-compliant Kubernetes stack including support for its native aPis and continued on page 8 >
< continued from page 5
builds fail if there is an issue detected. secrets are also an important aspect, especially tokens. Tokens should be encrypted and stored in a secure location. another important aspect is to “know your source.” organizations should use private registries and sign images with a digital signature to ensure that it is not modified after security measures have been taken. defaults should always be avoided as well because they’re often not se-
one challenge that organizations often face is that there is a lack of knowledge around containers, which is both an operational challenge and a security challenge. “There’s a learning curve with regards to containers, and the organization has to be aware of that: Have a proper staging/sandbox site, and make sure to consult with an expert,” said ivtsan. He also noted that there is a lot of information online that organizations can take advantage of to educate themselves.
‘It’s specifically important to scan your vulnerabilities in
order to detect open-source vulnerabilities.’
—Shiri Ivtsan
cure enough. ivtsan recommends that companies verify that they have a high security level, and if necessary, modify the default parameters. There are a lot of different container engines in use, but fortunately the security methods don’t seem to vary much across different engines. but, it is still important to understand the specific technology you are using and to get constant updates as things change. for example, the runC vulnerability affected all container engines, but there have been other vulnerabilities in the past that only affected specific container engines.
When choosing tooling to address security needs, it’s important for organizations to understand their particular needs, ivtsan explained. Tools that work for large enterprises may not work well for a small startup, and vice versa. “in general, the best way would be to actually try the tool with your own environment. This will give a sense both about the ease of use and about the results.” integration is also important to consider when looking at tooling. organizations should ask themselves how well the tool integrates with their existing environment. n
June 2019
7
Containing App Vulnerabilities < continued from page 7
command line interfaces (CLis). at last month’s dockerCon conference in san francisco, the company demonstrated federated application Management for docker ee with added security controls. Pointing to the managed Kubernetes services from amazon, Microsoft and google, docker officials said that rather than needing to define every security, access control and governance policy for each of the specific cloud providers and software distribution, customers can provision clusters with docker ee. and with the new federated management capability announced last month, customers can implement existing policies or those created within those environments. “in an era where everything is going to have a digital representation, security has to be a basic digital right, it has to be part of the software we build, we have to know everything about the applications that we’re running,” docker Ceo steve singh said during his keynote address at dockerCon, where container security was a key focus. gartner’s iams said docker had little choice but to jump on the Kubernetes bandwagon. “docker needed to show that they can also add value with Kubernetes because the Kubernetes space is getting to be strategically quite significant and you have a number of players,” he said. Many of these players are startups or relatively new providers such as aqua security, avoreta, Jfrog, NeuVector, stackrox and Twistlock, which offer tools focused squarely on container security. Core security providers have also set their sights on securing containers including Cisco, with its new Contiv offering, and Tenable, which last month added container protection capabilities to its Tenable.io security scanning suite. The above-mentioned upstream con-
8 June 2019
tainer management providers also offer various security capabilities as well as cloud operations management tools offerings from appformix, applatix, apprenda, Cloud 66, dH2i, Kublr and Platform9. among others. garter’s iams said while the cloud platforms address many of these security concerns, many of these tools provide various levels of integration and vulnerability scanning. “With all this new software that’s being installed, whether it’s there in the container runtime or within the orchestration system, all those have to be integrated with existing security such as whatever authentication mechanism you have in place like active directory,” he said.
Following the Money
yet investors are betting big on container security. among a number of series b investments, redpoint Ventures put $25 million into stackrox, Polaris Partners funded Twistlock with $17 million and Lightspeed Venture Partners pumped a $25 million round into aqua. Why are so many new providers focusing on container management security, rather than leaving it to the incumbents? The first step toward securing containers begins with the developer, who must build security into the Ci/Cd process, according to Liz rice, an evangelist at aqua, a 3-yearold startup that offers a platform for runtime controls for container-based environments. “That’s a complete mind change from how things are in a traditional deployment,” rice said. also, containers are designed to run in heterogeneous environments and there are more of them — often thousands. each microservice has its own dependencies, meaning traditional security approaches such as patching and applying vulnerability updates, aren’t practical with these new architectures,
rice explained. “if you have that model in your head when you think about dealing with these thousands of containers, it’s just impossible,” she said. John Morello, Twistlock CTo, agreed. While a traditional three-tier application running in virtual machines might have a single VM for each tier, the exponentially larger quantity of microservices and containers that are often created and destroyed weekly or even daily, require a different approach, he noted. While this creates a more dynamic environment, that’s the intent with the move to Ci/Cd. “These challenges mean that security needs to be more dynamic and automated than traditional models that assumed static, human-generated policies and rules,” Morello said. The upside of containers, he added, is that they are minimal, declarative and more predictable than traditional monolithic approaches. Consequently, security platforms for these environments observe and model normal behaviors and automatically detect anomalies with minimal human involvement, according to Morello. “When combined with a modern Ci/Cd software delivery process, they enable organizations to embed security much earlier in the app life cycle, preventing vulnerable apps from being deployed in the first place and fixing problems in development, where they’re much cheaper and safer to resolve,” he said.
Cloud Provider Container Security
Many of the capabilities needed to secure containers are built right into many of the public clouds and offered by managed services providers. a case in point is ibM Cloud, which offers security scanning of container images and configuration scanning to look for poorly configured software as part of
its managed Kubernetes service. “We do enforcement-based policy and we do image signing and enforcement, said Jason Mcgee, a VP and CTo of ibM Cloud. “That’s all just built into the platform.” but many solutions address applications that may run across multiple clouds or offer specific capabilities such as runtime security or forensics. Mcgee said ibM has partnered with several of those providers including aqua, sysdig, LogdNa, NeuVector and Twistlock. ibM and NeuVector announced their alliance back in March to offer as an option automated Kubernetes platform security with NeuVector’s multi-vector, container firewall capabilities. “There’s a tremendous ecosystem of solutions from startups and large companies like that to solve different parts of the container operational environment and developer experience,” Mcgee said. “Those tools work with ibM Cloud and they work with our Kubernetes services on premises.” NeuVector recently announced extended security capabilities with the 2.0 release of its namesake offering by extending its run-time security automation, container process monitoring and vulnerability scanning with incident response, enterprise access control, rolebased management and registry scanning. Many of these security players have aligned themselves with major cloud providers as well those who offer container management solutions and various Ci/Cd tools. for example, Cloud 66, which offers a Kubernetes-based container deployment pipeline tool called skycap, has customers who use container security solutions from aqua, Jfrog and Twistlock. udi Nachmany, VP of business development at Cloud
66, describes those solutions as complementary. “if you use our pipeline and go into Kubernetes, you can just plug aqua’s runtime security tool into your infrastructure,” Nachmany said. The company is also the sponsor of a new open-source project called Habitus, that helps developers address security and performance of docker container images in the build stage. for example, it’s common to have secrets embedded into the container image. That image can be sent to an unencrypted registry. “as a devops person or manager, you don’t always have control of all those moving parts, so Habitus takes the secret out, and puts it in a sidecar that runs in the build network, and then the secret is injected once the image is finished,” Nachmany said. another thing Habitus does is it minimizes the size of the image. “if you’re creating an app and you don’t need all of the build libraries in the runtime image, you can create a runtime image that’s 10 percent of the original one, which obviously means it’s much less vulnerable to attack,” he said.
Bridging Old and New
organizations deploying these cloud-native container-based environments often overlook aPis and identity, according to Jason schmitt, Ceo of aporeto, among the newer of the startups. The recent release of aporeto enterprise 2 assigns contextual application identity for every component of an application or process. This provides security of microservices and cloud native applications with aPi access control, runtime threat and vulnerability management and identity
management, according to the company. schmitt says its solution protects both traditional and microservice application architectures. “The best way to think about us is essentially a workload security platform that spans Linux workloads all the way to cloud native,” schmitt said. “We’re very centered on container workloads and infrastructure and can work natively in a Kubernetes environment. but we also provide similar sort of uniform policy across a heterogeneous environment so container workloads across multiple cloud and multiple clusters.” Meanwhile, more established providers of larger iT security portfolios are also adding container scanning to their offerings. for example, an update rolling out to Tenable.io Container security, which already scanned containers in the build and test process for vulnerabilities, will be able scan those in production. The new release also offers connectors to Microsoft azure and google’s gCP. The Tenable.io Container security update, announced last month, is set to roll out in stages by august with support for Kubernetes. The company added container security to Tenable.io with its late 2016 acquisition of flawCheck, which started out with an offering that scanned docker containers. Tony bettini, senior director of software engineering at Tenable, said scanning containers as part of the sdLC process validates that those containers in production are from the same source as the images. “This way we can detect containers that have been modified in production because of say a compromised container or some other type of hack or compromise,” bettini said. “it also allows us to do much faster scanning because we can do the scanning without adversely affecting production environments by doing the scanning on the sdLC side.” n
June 2019
9
“Doomsday” flaw discovered in RunC underscores potential for critical container vulnerabilities By Jeffrey Schwartz
The discovery of a major security flaw in the common open-source runtime engine for docker, Kubernetes and other container management systems, points to an underlying risk associated with containerized applications. researchers adam iwaniuk and borys Popławsk discovered the vulnerability, CVe-2019-5736, in runC, the common runtime engine developed by docker and now a common open Container initiative (oCi) specification used
across most modern container images, such as alpine, debian, Mesos and red Hat, among others. aleksa sarai, one of the community maintainers of runC, this week verified the vulnerability. “That fear of container isolation failing to hold up turned out to be true,” noted asif awan, CTo for containers at vulnerability management provider Qualys, in a post warning of the runC hole. unpatched, experts noted that the runC vulnerability poses even greater risk than a flaw that impacted Kubernetes 1.10 and higher, discovered two months ago. The discovery drew widespread
10 June 2019
concern because runC is nearly ubiquitous in modern containerized applications. “as far as container runtimes go, runC is used by just about every container engine out there — it’s a fundamental component of even the most basic Linux container implementations as a low-level runtime,” noted scott McCarty, red Hat’s principal product manager for containers, in a post warning of the vulnerability. McCarty noted that a broad range of container infrastructure and Kubernetes orchestration offerings, including the red Hat openshift Container Platform, use runC. While he and the broad ecosystem of security, application and cloud providers all urged customers to patch their systems, red Hat platforms ship with seLinux in “enforcing mode,” which should protect against exploitation of the runC flaw, McCarty noted. an attacker exploiting the runC flaw could potentially inflict significant damage, according to experts. banjot Chanana, docker’s VP of product, warned in a blog post that a malicious container image could gain administrative privileges to a host. in a worstcase scenario, an attacker could gain access to an entire cluster, shiri ivtsan, a product manager at Whitesource, a provider of security, licensing and reporting tools for open-source environments, told iT ops Times. “it has very serious implications if a hacker goes into the cluster,” ivtsan said. “They can do basically whatever they want. They can delete users, they can inject any code that they want into appli-
cations and they can even see data.” While the december Kubernetes vulnerability also enabled privilege escalation, ivtsan explained the runC flaw is potentially more dangerous. “This is bigger than just Kubernetes because it’s tied to the docker container image,” she said. gavin Millard, VP of intelligence at cybersecurity risk assessment platform provider Tenable, shared a similar concern. “you have to take these vulnerabilities very seriously, especially as a lot of the cloud providers leverage Kubernetes and docker containerization,” he said. Moreover, the discovery of the runC flaw validates the fear that just because containers are isolated, that doesn’t make them more secure, according to Qualys’ awan. “The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack and compromise the entire host,” awan noted. “The vulnerability is particularly nasty because it is not covered by the default apparmor or seLinux kernel-enforced sandboxing policies.” for its part, docker’s engineering team worked with the runC maintainers to create and issue a patch, according to Chanana. “docker recommends immediately applying the update to avoid any potential security threats,” he noted. Chanana advised that systems with docker engine-Community should be updated to 18.09.2 or 18.06.2, and those with docker engine-enterprise should be patched with 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. n
A guide to container security tools
n Alcide is a cloud-native security leader empowering devsecops teams to continuously secure and protect their growing multi-cluster Kubernetes deployments. by automatically discovering, managing and enforcing security policies across deployments, alcide’s Microservices firewall for K8s and istio enables unified code-to-production enforcement of security policies spanning networks and workloads. This enables the smooth operation of business apps while protecting cloud deployments from malicious attacks.
n With Alert Logic, you get the industry’s only network intrusion detection solution and log management for containers — with support for aWs, azure, google Cloud Platform, on-premises, and hosted environments. detect and visualize threats in real-time for any workload in any container (docker, Kubernetes, elastic beanstalk, elastic Container service, and Coreos). Plus, our security professionals watch over your environment 24/7, so you’re never on your own.
n Aqua Security: aqua’s Container security Platform provides an end-to-end security solution for containerized environments. The platform can be deployed on all major public clouds or onpremises, and works with all major orchestrators. aqua provides full life-cycle security for containers and cloud-native applications, from your Ci/Cd pipeline to runtime production environments. The platform can secure serverless faas, fargate aCi, Kubernetes clusters, multicloud deployment security and more.
n NeuVector scans for vulnerabilities during the entire Ci/Cd pipeline, from build to ship to run. use the Jenkins plug-in to scan during build, monitor images in registries and run automated
FEATURED PROVIDER
n WhiteSource: Whitesource offers a holistic approach for open source components management, providing complete visibility and control throughout the container development life cycle. our solution automatically detects all opensource components in your container images and containers and enforces policies automatically during development and production. Whitesource offers native integrations to all environments along the way, including all Ci servers, container registries, and container orchestration tools such as Kubernetes.
tests for security compliance. Prevent deployment of vulnerable images with admission control, but also monitor production containers. blazing fast, highly scalable image vulnerability analysis scans thousands or hundreds of thousands of images. NeuVector audits host and container security with docker bench and Kuberentes Cis benchmark for security tests.
n Qualys Container security (Cs) gives you complete visibility of container hosts wherever they are in your global iT environment — on premises and in clouds. it gathers comprehensive topographic information about your container projects — images, image registries, and containers spun from the images. With dynamic, customizable dashboards, you can see your complete inventory and security posture from containers to hosts. Qualys Cs lets you scan, protect and secure the running containers. you can also detect containers drifting from the parent image, breaking the immutable behavior with a different vulnerability posture and software configuration. Qualys Cs also features policy-based orchestration to stop vulnerable images from being spun up in Kubernetes clusters.
n Sensu is designed to effortlessly handle the ephemeral and challenging nature of container orchestration —
without generating false alarms when a container or a pod is shut down. sensu collects events, metrics, and labels from Kubernetes as well as docker to give you deeper insight into your infrastructure. besides monitoring container workloads on Kubernetes, red Hat openshift, docker swarm, Mesos, and Cloud foundry — sensu also monitors the underlying hosts, whether they’re in aWs, google Cloud, azure, or redhat openshift. With sensu, it’s easy to collect Prometheus and statsd metrics and store the data in the tools you’re already using — including influxdb, elasticsearch, or splunk. free your metrics! n Snyk: Taking code written by oth-
ers, often with little to no vetting of its security pedigree, can put your application at risk. snyk enables you to find, and more importantly fix known vulnerabilities in your open source. and it’s built by the best developers and security researchers in the space. snyk allows you to find vulnerabilities in your repos and remediate risks with automated updates and patches, to block vulnerable libraries in Ci/Cd and monitor Paas/serverless apps for dependency flaws. n Synopsys: automate security testing with your existing tools, and maintain development velocity with flexible Ci/Cd integrations. automate security testing continued on page 12 >
June 2019
11
< continued from page 11
and policy enforcement with Jenkins, Travis, Kubernetes, red Hat openshift, and other devops orchestration tools. receive unified alerting via email or slack, as well as Jira integration, that notifies you in real time of vulnerabilities in development and production while supporting workflow automation.
n With Sysdig secure you protect your applications across the container life cycle. We bring together image scanning, run-time protection, and forensics to identify vulnerabilities, block threats, enforce compliance, and audit activity across your microservices. sysdig ContainerVision collects data through system calls, giving you 10x more signals about container, host and orchestrator activity in your environment. our behavioral models leverage data from the millions of containers we already protect to create the most effective out-of-the-box container protection and response for you.
n The Threat Stack Cloud security Platform monitors your cloud workloads — analyzing user, system, and file behavior — and alerting you of suspicious activity. for containerized infrastructure, Threat stack comes with pre-configured rulesets for docker and Kubernetes, so you’ll get immediate observability across your containers.
n you can trust Twistlock to provide comprehensive docker security solutions: vulnerability and compliance management capabilities, advanced threat intelligence, and powerful runtime protection required to secure your containerized applications. Twistlock is proud to be a contributor to the Moby project and builder of the pluggable authorization and secrets management you’re already using with docker. and, with over 80 built-in checks that cover every recommendation in the docker Cis benchmark, Twistlock monitors and automatically enforces compliance policies across the container application lifecycle. n
12 June 2019
How does WhiteSource help companies secure their containers?
We help development teams to secure their containers by providing them with full visibility and control over their open source usage in their container images and containers. our solution supports the entire container lifecycle via advanced integration with all container registries as well as Kubernetes. Whitesource monitors and alerts on security and compliance issues from the earliest stages of development all the way through to production. We help you to securely manage your container images and containers with continuous security monitoring in Ci servers, container registries, during run-time and on Kubernetes. our advanced integration enables you to enforce your Whitesource policies automatically throughout the container lifecycle in order to block vulnerable components from entering production, initiate automated workflows, and get real-time alerts on security and compliance issues. We offer native integrations for docker Hub, amazon eCr, azure Container registry, google Cloud registry, and Jfrog artifactory. The Controller scans container images including the file system, installed packages, image layers, and handled archive files, to detect security and compliance issues, enforce policies, initiate workflow and support the remediation process. The Whitesource Kubernetes Controller is a designated lightweight pod located inside your Kubernetes cluster. it detects all open source components in your cluster and alerts on issues as per your organizational policies. The Controller supports all Managed service Providers (aKs, eKs, and gKe). in addition, our solution also tracks changes (e.g. new deployment or image modifications) to detect new vulnerabilities.
WhiteSource’s Kubernetes Dashboard displays the comprehensive security status of your deployed resources in one dashboard. View vulnerabilities per pod or per severity, monitor the scan progress and analyze overtime alerts. Track your clusters’ enforcement in real time and manage rejected resources.
Secure Your Open Source Components in Your Containers
9 security best practices for Kubernetes you should be following By Jenna Sargent
The Cloud Native Computing foundation (CNCf) has shared a list of nine best security practices for the popular container orchestration tool Kubernetes. “as organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure,” wrote Connor gilbert, a product manager at the container security company stackrox, who drafted the list. The nine practices are: Upgrade to the latest version: because new security features are added in each quarterly update, the gilbert recommends that users always be running the latest stable version. it also claims that upgrading becomes more difficult the further behind you are, so it is wise to update at least once per quarter, as they come out. Enable Role-Based Access Control (RBAC): rbaC enables you to control who can access the Kubernetes aPi and what permissions they have. rbaC is enabled by default in 1.6 and later, but users on earlier versions should double-check their settings. Those using rbaC should avoid using cluster-wide permissions. instead, grant access as needed on a case-by-case basis.
1. 2. 3.
Use namespaces to establish security boundaries: Creating separate namespaces provides a first
4.
level of isolation between component, as well as makes it easier to apply security controls. Separate sensitive workloads: in order to reduce the impact of a compromise, gilbert recommends running sensitive workloads on a dedicated set of machines. by using this method, you will reduce the risk of an application being accessed through a less-secure application that shares a container runtime, gilbert explained. Workloads can be separated by using node pools and Kubernetes namespaces, taints, tolerations, and other controls. Secure cloud metadata access: gKe’s metadata concealment feature changes the way clusters are de-
5.
14 June 2019
ployed to avoid sensitive metadata from being stolen. gilbert recommends using gKe’s feature until a more permanent feature is implemented. Create and define cluster network policies: Network Policies let you control network access into and out of containerized application. only certain networking providers support this resource, so you will need to check with your provider. Run a cluster-wide Pod Security Policy: a Pod security Poly sets defaults for how workloads should run in your cluster. gilbert recommends users consider defining a policy and enabling the Pod security Policy admission controller. Harden node security: gilbert also recommends that you improve the security posture on your nodes by ensuring the host is secure and configured correctly, controlling network access to sensitive ports, and minimizing administrative access to Kubernetes nodes. Turn on audit logging: you should make sure that audit logs are enabled and that you are monitoring them for anomalies, especially authorization failures. authorization failures may signal that an attacker is trying to abuse stolen credentials. according gilbert, managed Kubernetes providers, such as gKe, provide access to this data and may let you set up alerts for authorization failures. “follow these recommendations for a more secure Kubernetes cluster. remember, even after you follow these tips to configure your Kubernetes cluster securely, you will still need to build security into other aspects of your container configurations and their runtime operations. as you improve the security of your tech stack, look for tools that provide a central point of governance for your container deployments and deliver continuous monitoring and protection for your containers and cloud-native applications,” gilbert said. n
6. 7. 8. 9.