With the peak of the holiday season here, when most are running on lean teams and may not have the resources to respond to a serious cyberattack, the latest exploitation of log4j logging library has sent developers in a scramble. This breach capitalizes on what has been another whirlwind of a year in cybersecurity, froth with porous technology that has been steadily increasing the workloads for developers.
The ever-expanding cloud native landscape and broader adoption of open source software were met with increased pressure to accelerate release cycles, placing many businesses at greater risk this year. For many, the ransomware attacks, and the battlespace of the modern supply chain, gave adversaries a number of vulnerabilities to explore, while the U.S. presidential administration issued an executive order, requiring vendors who manufacture and distribute software to detail what is actually in their products — particularly open source software — in a software bill of materials (SBOM).
From building in security processes earlier in the application life cycle to revisiting existing security technology with evolving new practices, these are the top security stories of the year that influenced developers to keep hackers out of the cloud native ecosystem.
Top Security Stories of 2021:
#1: The Web App Firewall Is Dead and We Know Who Killed It — Web Application Firewalls (WAFs) entered the market in the late 1990s and have traditionally served to protect data and assets from being exploited and attacked. But now, with many organizations operating under faster application release cycles, can the traditional WAF keep up? Check out this story by our sponsor Check Point, for the latest insights to maintain WAFs that will keep up with the speed of DevOps.
#2: Shell-less Kubernetes: Talos Systems Introduces the Common Operating System Interface — Conventionally, Kubernetes is run on top of a standard Linux distribution but Talos Systems takes a different approach with its container-specific operations system (CSOS), Talos OS, which is driven by application programming interfaces (API)s. Talos Systems believes it is better to run Kubernetes on a CSOS than a general-purpose Linux because it avoids unnecessary overhead and lacks any built-in coordination with Kubernetes. Further, the attack surface is smaller than they would be with a general-purpose host OS, presenting fewer opportunities to compromise a container-specific host OS.
#3: Defend the Core: Kubernetes Security at Every Layer — Kubernetes has exploded to 88% widespread adoption, yet more than half of respondents in Red Hat’s latest survey said they’ve delayed deploying Kubernetes applications into production due to security concerns. In this story, Jimmy Mesta, Head of Security Research at Fastly, looks at the implications of containers and offers his advice of best practices to help keep the hackers out.
#4: Why Open Source Project Maintainers Are Reluctant to Use Digital Signatures, Two-Factor Authentication — Open source continues to be abused by unscrupulous developers. In fact, a recent survey revealed that when asked if the open source projects they worked on required the use of 2FA such as the GitHub organizational setting “Require two-factor authentication,” almost half of the developers said they didn’t use it. How then should open source organizations manage programmers to say who they are?
#5: How Parler’s Data Was Harvested — When the right-wing social network Parler was turned off by Amazon Web Services (AWS), Parler’s data, including death threats and geotagged deleted messages was scraped and published on numerous public websites. Deleted messages were also captured as Parler’s proprietary program didn’t actually delete them. Instead, it marked them to be invisible to users which revealed bad security programming. Here’s the story by The New Stack’s Steven J. Vaughan-Nichols of how Parler’s former members became victims of the community.
#6: Managing Kubernetes Secrets with AWS Secrets Manager — GoDaddy, one of the leading web-hosting companies, open sourced an internal project called Kubernetes External Secrets. In this last story of a series by Principal Analyst, Janakiram MSV at Janakiram & Associates, he walks through how the project can used to configure secrets backed by Amazon Web Services’ Secrets Manager. Launched this year as part of Amazon’s CodeGuru service for developers, Amazon’s Secrets Detector machine learning feature automatically finds confidential system credentials that might be hidden in source code, helping to find bugs and security vulnerabilities then suggesting remedies.
AWS, Check Point and Red Hat are sponsors of The New Stack.