If no one’s looking for it, no one’s really thinking about it.
This is the classic security problem Gareth Rushgrove, director of product management at Snyk, pointed to during his conversation with The New Stack founder and publisher Alex Williams at KubeCon’s Cloud Native Security Day. Snyk is a Software-as-a-Service dedicated to helping organizations flag and fix vulnerabilities in their open source, third-party dependencies.
“Transitive dependencies are a really common source of vulnerabilities,” Rushgrove said. “Not [just] things that you choose to include, but the things you choose to include choose to include, potentially down a tree of many dependencies.”
This leads to software supply chains to become quickly complicated and sprawled out. And the distance between the developer using the code and the one who wrote it only increases.
“Most people cannot answer the question of how many component parts go into even a single microservice. Combine multiple microservices, it becomes really difficult to answer those types of questions with the tooling we typically use today,” Rushgrove said.
It leaves security a natural trade-off for the convenience of the problem-solving third-party content. And any sharing of third-party content within your systems poses a potential risk to those systems.
Snyk Releases Helm Chart Security Report
Synk helps shine a light on and remediate security vulnerabilities into popular tooling and languages, like Java, Python, containers and Kubernetes. At the time of this interview, they released the report “The untold tale of Helm Chart security” alongside its new Helm security plug-in.
Helm is the very popular open source application package manager running on top of Kubernetes that eases the process of teams installing and managing Kubernetes application. Rushgrove calls a Helm chart is a set of manifests or Kubernetes configurations templatized and a set of values that are then templatized so you can then build on top of Kubernetes. The Snyk plug-in renders that template, extracts the images and runs it through the Snyk security — and then offers a report.
What did they uncover? Well, first, if no one has really looked for vulnerabilities before, as was the case with Helm, the number of vulnerabilities is always high. One easy fix that would have a massive impact is if contributors always quickly update to the newest version of images.
Rushgrove’s team spoke with Helm’s maintainers about how they can incentivize or gamify their open source community to keep things up-to-date. After all, with so many tools out there, one that is known as secure will always get the edge.
In the end, Helm exists to offer a higher-level abstraction that makes building on Kubernetes simpler. Rushgrove says that’s the value that Helm brings — it’s job isn’t to add security.
And this is where more tooling like Snyk will continue to catch on, raising vulnerability awareness, especially to the developer audience.
Rushgrove says that traditionally devs are pushed to go fast while security pushes back to slow down. But now dev teams are more and more responsible for the security of the tooling stack they choose to leverage. In this new world of developer-driven development, only by aligning the two sides can we prioritize security.