Ten things we learned attending Cloud Native SecurityCon North America 2022
Last October I and my colleague Kyriakos Anastasakis attended the SecurityCon conference, part of the Kubecon/CloudNativeCon North America conference in Detroit.
Sending our people to attend technical conferences across the world is very popular in the XM culture. It is part of the continued professional development of our people, along with other initiatives such as online training platforms, courses, seminars, etc. The conference attendees share their knowledge with the rest of the IT team, both with respect to the talks and the IT culture, trends, and developer experience. This way, not only do we have personal and team development but also we have an insight of how we compare to other IT companies in terms of architecture, best practices, tools and culture.
Having attended the conference we can say that XM is in a very good state regarding the k8s security patterns and applying most of the best security practices.
Here are 10 things we learned from the conference:
01. Open Web Application Security Project Kubernetes Top Ten
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem.
The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity.
https://owasp.org/www-project-kubernetes-top-ten/
02. Cloud Native Security Whitepaper
The CNCF Security Technical Advisory Group shared last May a new whitepaper for cloud native security.
This paper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in their lifecycle processes, and considerations for determining the most appropriate application thereof
https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf
03. Container Vulnerability Statistics
Slim.ai is a company that focuses on cloud native security and since 2020 creates annual reports on vulnerabilities of public containers.
You can find the latest report here:
https://www.slim.ai/content/slimaicontainerreport2022_final.pdf
There are many interesting points in the report, starting with this:
Despite a year of intense focus on software supply chain security, 60-percent of the world’s most popular containers have MORE vulnerabilities today than they did one year ago
04. Vulnerabilities shape the future
There were various mentions in almost all the security talks about 2 of the most crucial vulnerabilities that have happened worldwide, the Log4Shell and the SolarWinds vulnerabilities.
The effect and cruciality these 2 vulnerabilities had, has led to various tools being created, new security patterns and worldwide focus on how these will not happen again.
05. Securing the supply chain
Supply chain security is a crucial responsibility of every organization and security team.
Software company SolarWinds was breached in 2020 when attackers launched malicious code via its Orion IT monitoring and management software, a platform used among large corporations and government agencies. By attacking the supply chain, the hackers infiltrated not only SolarWinds but their customers as well.
In 2021, the president of the United States highlighted the importance of software supply chains and security with 2 White House executive orders: supply chains and cybersecurity.
https://www.whitehouse.gov/briefing-room/presidential-%20actions/2021/02/24/executive-order-on-americas-supply-chains/
06. Software signing and verification
Signing and verification of software is one of the most important parts of software supply chain security.
One of the most popular suites of tools used for this is Sigstore.
Sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log
07. SBOMs are here to stay
Log4Shell vulnerability has raised the following issue:
If we know that a critical vulnerability has been identified in a library, how will we know if our systems use it?
The most popular solution that has been applied is the Software Bill of Materials (SBOM).
In the build process of an application, you document all the libraries that the app uses in an SBOM file.
It is very probable that in the near future, in the software used in the government and the in the finance sector, the SBOMs will be required by the government agencies in order to approve the software.
08. Cloud Native Runtime Security Detection
So you have a vulnerability-free container developed by one of your teams and running inside your k8s cluster.
How will you know if the container tries to do malicious things inside the container or towards the cluster?
Some of these may be: privilege escalation attempts or namespace changes using tools like setns.
What if the container is not even yours, you just want to use a public container, but how will you know that it will not mess things up in the cluster?
The most popular tool for this is Falco.
Falco intercepts all the system calls the application sends to the kernel, checks them against some predefined rules, and sends alerts on rules violation.
09. Kubernetes Native Policy Management
Kubernetes provides several policies such as Network Policies, Pod Security Policy, Quotas/Limit.
These policies are native API objects that govern the behavior of the Kubernetes cluster. However, there are several situations where users want to configure settings that are required cluster-wide and even across clusters within an enterprise.
To scale Kubernetes usage, it is necessary that a central team is responsible for ensuring proper configuration of Kubernetes policies, and validation of other best practice guidelines.
One of the most popular tools for this is kyverno.
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources.
Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.
10. CTF as a fun way to learn k8s security
There are some fun Capture the Flag games that have been used to help you understand k8s bad practices.
There 3 CTF events in the SecurityCon and the KubeCon.
You usually start by connecting to a pod that exists in a k8s cluster and try to find hidden flags.
You can only find them because of the misconfiguration on the k8s cluster or because of other unpatched vulnerabilities.
