Organizations in a rush to transform could benefit from a moment of pause to avoid misconfigurations that might create unexpected, unnoticed exposure. The going trend is for enterprises to march forward with DevOps to ramp up their pace of deployment. Such haste could lead to gaps in security that might otherwise have been caught along the way. Experts from StackRox and Packet dissect some of the telltale signs of misconfiguration and how organizations can address them.
The mindset and mandate for many DevOps teams is to push code out fast with the goal of making their organization more agile, says Michelle McLean, vice-president of marketing for StackRox, provider of a Kubernetes security platform. This is not to imply developers do not care about security or are willfully negligent, she says. “However, it is not always the first thing they are thinking of.”
McLean is author of the StackRox’s latest State of Container and Kubernetes Security Report She says security has become more inherent within infrastructure in many ways, which has led new approaches to the development cycle. “Before, you used to build code then throw it over a wall,” McLean says. “Somebody figures out how to make it run, throw it over the next wall. Somebody figures out how to make it secure, now we go live.”
That sequence has been upended in the era of DevOps, she says, with different parts of the cycle sometimes overlapping and creating blind spots. “Now all of this is mixed up together and happening at similar timeframes,” McLean says. “When the mandate is to move fast, put out the code fast, you can miss a few things.”
The issue of misconfiguration is tied closely to the DevOps journey, says Jacob Smith, CMO and a co-founder of Packet, an on-premise cloud provider. He says this stems from how containers are deployed through DevOps automation versus IT administration. “It is a different workflow and one of the biggest areas of weakness is around network policy,” Smith says. Problems can be easy to miss, he says, because configurations change at a larger and larger scale as the infrastructure becomes more varied and migrates to the cloud.
Smith says supporting toolsets from Red Hat, Rancher, or VMware can monitor and improve visibility, so developers know which containers connect to what. The relative newness and rapid evolution of containers into a business imperative, he says, has made it a challenge for developers to keep up. “There’s so many things going on and it changes really quickly,” Smith says. “That’s a recipe for confusion; a lot of people new to it feel on edge.” This part of the DevOps landscape has matured rapidly in the last two years, he says, with new demands and needs emerging seemingly overnight.
“Everyone has to have a service mesh strategy though 18 months ago it didn’t exist,” Smith says. Security is an obvious area for potential fallout, but business inefficiencies due to misconfigurations can also be expensive. For instance, there might be an instance of out of control resource allocation by a container that could take down the server. “That’s the one thing it’s not supposed to do,” he says.
One of the key misconfiguration problems McLean highlights is not all security controls are always turned on by default. With containers and Kubernetes, there can be many moving parts with complicated infrastructures that are still being learned, she says. “The assumption is the developer will enable the security controls at some point.”
McLean recommends looking for certain hard-to-find elements, such as whether resources are read-only, or if they can be written to. Check if roles-based access control is enabled. “That is analogous to having writable containers,” she says. “If someone gains permission to make changes at the Kubernetes level, you are going to open to risk. That’s the keys to the kingdom. If I can get into Kube, I can get into all your assets.”
The potential for this type of exposure is likely to increase going forward, McLean says, as more companies containerize new apps they develop. “It is very likely these are some of your most important business essential apps,” she says. There is also the possibility that customer data may be held by those apps. “It is easy to make a mistake,” she says. “Organizations should help developers do things right.”
For more on security, DevOps, and misconfigurations, check out these stories: