The latest release of the container security platform StackRox expands its focus beyond just containers to cover the entire lifecycle from build to runtime, adding protection from orchestrator-based threats. Integral to that is a feedback loop using data to build better security into software earlier in the process, explained Wei Lien Dang, StackRox vice president of product.
The release also adds vulnerability scanning and policy enforcement for network segmentation and secrets.
“At the build phases, we’re leveraging declarative metadata that developers or DevOps teams specify to better reduce the attack surface and better focus detection,” he said. “Our focus has been on preventing things: blocking things from deploying into the environment in the first place. We’re also using information at runtime to better inform policies from the time container images are built, before containers ever launch into the environment.”
A lot of companies provide standalone functionality at different phases of the container lifecycle, he said, but StackRox sees the opportunity to provide better context for customers and provide better security by tying information from those different phases together.
“With containers, there’s an expansion in the number of layers customers need to be concerned about in the stack. Companies that are running on VMs or bare metal, in the move to containers, you introduce the runtime, the orchestrator, the containers themselves. We take a holistic view and what we call a multi-factor approach to profiling security issues and risks,” he said.
It looks at different sources for metadata that developers or DevOps teams specify.
“We understand the images themselves, we look at Docker files to look at how things should be composed, app and deployment manifests, typically in the form of YAML files. We build in policies not just on vulnerabilities: does this container have critical vulnerabilities, when was the last time it was scanned, is it meant to run privileged, is it in a test versus production environment, what’s the criticality of this application?” he explained.
“We’re looking not just at vulnerabilities, but at misconfigurations, best practices, privileges that a container has, we get to the level of what ports are open, benchmarks and creating awareness for the customer of the most critical security issues they need to prioritize. That information is then automatically sent back to the tools and systems developers use.”
It uses risk scoring, so if a threat is detected — if a container was launched from a particular service or a particular image — it automatically elevates the risk score for that service or image.
“This is typically done manually today in non-container environments. This is a fully automated process. The operator on the customer side doesn’t have to act on this; it’s immediately funneled back and the risk score automatically adjusted,” he said.
The result, he said, is better collaboration and faster iteration and remediation between security and DevOps or developers by presenting and prioritizing the most relevant information they need.
He pointed to the Tesla hack as an example of a Kubernetes-based breach. In that case, hackers broke into an unsecured Kubernetes dashboard exposed to the internet and were able to “mine” cryptocurrency on Tesla’s Amazon S3 bucket.
StackRox evaluates role-based access controls, network policies and secrets in Kubernetes and detects exploits on certain components within Kubernetes environments, including the kubelet, Kubernetes service endpoints or cloud metadata servers.
“StackRox helps evaluate the configuration of the orchestrator itself as well as how customers are using the security capabilities built into the orchestrators. Kubernetes has built-in role-based access controls, network segmentation policies and secrets management. We provide policy enforcement to make sure the customer is appropriately taking advantage of those capabilities,” he said.
On an episode of The New Stack Makers, Liz Rice, technology evangelist at Aqua Security, and Justin Cappos, associate professor of computer science and engineering at the New York University’s Tandon School of Engineering spoke about security projects within the Cloud Native Computing Foundation (CNCF). They include TUF (The Update Framework) project, which allows administrators to track provenance and integrity for applications run inside a cloud environment, and SPIFFE (Secure Production Identity Framework For Everyone), which does something similar for services.
However, Kubernetes security remains an evolving landscape with gaps between growing projects, Rice said.
Feature image via Pixabay.