Security concerns surrounding Kubernetes and cloud-native technology are hindering organizations from fully benefiting from these technologies. In Red Hat’s “2023 State of Kubernetes Report,” it was discovered that there are significant concerns about the security of Kubernetes within certain companies. The report, which surveyed DevOps, engineering, and security professionals from various countries, revealed that 67% of respondents have delayed or slowed down their deployment due to security worries, while 37% have experienced a loss in revenue or customers as a result of a container or Kubernetes security incident. Additionally, 38% consider security as one of the top concerns when it comes to container and Kubernetes strategies.
The software supply chain has become a focal point for criticism, and this has directly impacted Kubernetes users. The Red Hat survey asked respondents about the specific security issues they are most concerned about in the software supply chain, and the following issues were highlighted:
1. Vulnerable application components (32%)
2. Insufficient access controls (30%)
3. Lack of software bills of materials (SBOM) or provenance (29%)
4. Lack of automation (29%)
5. Lack of auditability (28%)
6. Insecure container images (27%)
7. Inconsistent policy enforcement (24%)
8. CI/CD pipeline weaknesses (19%)
9. Insecure IaC templates (19%)
10. Version control weaknesses (17%)
Respondents expressed their concerns based on firsthand experiences, with more than half stating that they have encountered most of these issues, particularly vulnerable application components and CI/CD pipeline weaknesses.
However, organizations can address these concerns by focusing on a single aspect: trusted content. Trusting content has become increasingly challenging as open-source code is widely used for cloud-native development. More than two-thirds of application code is derived from open-source dependencies, highlighting the importance of trusting this code to enhance application and platform security.
The ability to trust content is crucial for building trusted products and services. While software bills of materials can help ensure the authenticity of code, they should not be relied upon in isolation. SBOMs should be part of a comprehensive strategy for securing the software supply chain, with trusted content serving as the foundation.
SBOMs provide developers with essential information to make informed decisions about the components they utilize. However, the mere existence of an SBOM does not guarantee integrity. An SBOM is only valuable if it is up to date and verifiable. It is also important to determine whether known issues exist for the listed components.
Developers require upfront quality and security information about the software components they choose. Both software providers and consumers should prioritize curated builds and hardened open-source libraries that have been verified and attested through provenance checks. Digital signature technology plays a significant role in ensuring that software artifacts remain unaltered during transmission.
Even with these measures in place, vulnerabilities can still occur. To help teams assess the actual impact of a known vulnerability, the Vulnerability Exploitability eXchange (VEX) can be utilized. VEX allows software providers to report the exploitability of vulnerabilities within the dependencies of their products. This information helps customers prioritize and effectively manage remediation efforts based on whether a vulnerability has been actively exploited.
In addition to SBOMs and VEX documentation, package attestation is necessary to establish trust in content. It is crucial to know that the code being used is developed, curated, and built with security in mind and delivered with the necessary metadata for verifying provenance and content. Digital signatures can be used to attest packages and associated metadata, ensuring that content remains unaltered during transit.
In conclusion, implementing standards, tools, and best practices discussed in this report align with the DevSecOps model and contribute to alleviating the security concerns associated with rapid Kubernetes deployment. By prioritizing trusted content, organizations can address these concerns and fully capitalize on the benefits of Kubernetes and cloud-native technology.