Docker, the Cloud Native Computer Foundation Get Serious about Security
The Cloud Native Computing Foundation (CNCF) sponsored this post.
The fact that cloud native and container exploits are becoming more attractive targets for attackers as they grow in popularity is obvious. But as of late, some gaping security holes in both platforms have sparked even greater causes for concern.
To wit, a security hole was recently revealed — with a sure-fire fix lacking at the time when this article was posted — that detailed how an attacker can gain root access to Docker container hosts. The vulnerability, similar in scope to a symlink-race attack, a SUSE security researcher revealed how the present vulnerability is applicable to any host associated with a Docker engine.
It is always an easy bet to make that other Docker and cloud native vulnerabilities exist that have not yet been publicly revealed. And, needless to say, most attackers anyway are looking for easier doors to open — or, more accurately, doors opened for them — by running very easy-to-run password exploits.
Without critiquing how effective they are here, the Cloud Native Computing Foundation (CNCF) and Docker say they are taking more aggressive steps to lock down container and cloud native deployments. More importantly, they are offering more processes and disclosing more information about how organizations can use the resources they offer to help themselves.
During the recently held KubeCon + CloudNativeCon in Barcelona, Chris Aniszczyk, CNCF chief technology officer and chief operating officer for the CNFC, and Justin Cormack, a Docker security engineer, how both organizations are reaching out in new ways for organizations to become better masters of their security fates. They spoke with Joab Jackson, managing editor, during a The New Stack makers podcast at the conference.
On a holistic level, the CNCF has always offered security tools and information to its members, with security audit emerging as a key process for member projects. It does this by contracting with third-party security firms. “You have someone externally look at your code, do some potential threat modeling, pen testing and so on and then give those results the projects, while making sure that their security disclosure process works,” Aniszczyk said. “And the projects themselves are able to address any concerns they have because a graduation requirement for our projects is they must be able to have a security disclosure process and also be able to survive event security audit.”
So far, Aniszczyk said about a dozen audits have been completed for CNCF projects. “What’s also kind of cool,” Aniszczyk said, is how the reports are open-sourced and are “shared the world.”
Cormack applauded how the CNCF initiative manages audits for sandbox projects and early-stage projects as well and “not just for when things are graduating.” This is “really nice, because there’s a lot but new projects can learn when they’re starting up about security from having an audit,” Cormac said.
Vulnerabilities revealed during the CNCF audits, or in the Kubernetes platform, will only be published once fixes are founds, Aniszczyk said. “The process is actually happening now with Kubernetes. The audits are about finalized, so the reports are being written and all the issues are being pushed upstream and any relevant CDs will be created,” Aniszczyk said. “So, we’re hoping to show [the reports] probably in a couple of months.”
In this Edition:
1:40: Exploring the CNCF security audit process for projects
7:00: It sounds like for the auditing companies cloud native computing components can be kind of a challenge as well.
11:47: The security-related projects in CNCF.
12:30: It seems part of the goal is to get the projects thinking around the same lines for security best practices.
19:58: Justin, can you offer an update on the Docker Hub security breach?
25:40: Is the zero trust model a good approach for cloud native computing users to keep in mind?
The Cloud Native Computing Foundation is a sponsor of The New Stack.