For many people working in DevOps, security is starting to become a bigger part of their daily work lives. With this new reality come new challenges. You’re likely to face these hurdles, for example:
- At what point should I begin testing for security?
- Will security testing slow me down?
- How do I easily share test results with necessary stakeholders?
- Will this information be centralized?
We’ll answer these questions and more as you read along. Throughout this article we’ll put on full display the reasons why DevOps practitioners should care about the security of their environments. We’ll demonstrate how continuous, automated security testing can benefit your organization.
In this article, we’ll show you a real-world example of how hackers are targeting Kubernetes clusters by exploiting a known vulnerability in a running container in EKS.
This vulnerability, along with a misconfiguration in Kubernetes, will allow a hacker to escape out of the container and get root level access to the worker nodes in the EKS cluster.
This may sound scary, and it is. But you can prevent this from happening and we’ll show you how.
A longer form of the videos shown in this article can also be found on our YouTube page.
Risks in your infrastructure
According to Gartner, 99% of cyber attacks and security breaches come from known vulnerabilities and misconfigurations in infrastructure. What’s even more staggering is that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.
What some may view as an innocuous and small vulnerability or misconfiguration can sit unnoticed for a long time and end up causing great harm if found by the wrong person. That’s what makes solving for this so important.
Vulnerabilities & misconfigurations
It doesn’t take much time for a known vulnerability or misconfiguration in Kubernetes to cause major damage to your environment. To demonstrate this point, watch this short demo below and see for yourself.
Whose responsibility is it?
Everybody knows that these security problems exist within a complex environment. Now the question is, whose job is it to fix them? This is when the finger pointing begins. When DevOps first arrived on the scene, the focus was on innovation.
The goal was to deliver digital products to market faster and with accuracy by bringing Development and Operations together to collaborate. Nowadays, DevOps teams are increasingly being asked to share the responsibility of security issues inside the environments they build and maintain. But what about Security teams?
Accountability vs. responsibility
Honestly, this is probably the better lens through which to look at security. You have certain titles and individuals who are held accountable for security breaches. Think about your CISOs, CTOs, VP of Engineering or Operations, Security Engineers, and so on.
These are the people who will be held accountable if the infrastructure is not secure. On the other hand, the responsibility of keeping your systems secure falls on everybody in the organization.
Security tools for DevOps
You may be asking yourself, “Is there such a thing as security tooling for DevOps?” And that’s probably because DevOps teams often work in a standardized flow.
There’s a good chance you spend most of your time working in local development writing automation code and testing it in your sandbox. Next, you push it to Git for review. Those changes then merge into pipeline runs before deploying into environments for final production.
It’s actually because of this standardized workflow that there are perfect opportunities for security testing. Most security tooling lacks the capability to check for misconfigurations at each of these stages; that's where Mondoo comes in.
How Mondoo can help
Mondoo is a security platform designed to help DevOps teams find and fix vulnerabilities and misconfigurations in their infrastructure. Mondoo automates security testing in all phases of the software development lifecycle – from local development to build time and all the way through to run time.
Mondoo fits into the entire DevOps workflow. To achieve this we have two main components: Mondoo Platform and Mondoo Client.
Mondoo platform is a multi-tenant SaaS product that comes stocked with an ever-growing number of certified security policies. These policies exist as code, complete with full documentation and remediation steps.
Mondoo Client is a lightweight, universal binary registered to your account that can be used to scan infrastructure locally or remotely. It connects directly to APIs of public and private cloud environments, hosts, SaaS products, Kubernetes, containers, and more!
To demonstrate some of Mondoo’s capabilities, let’s refer back to how easy it was to exploit the Amazon EKS cluster earlier. Watch this short video below:
Mondoo for Kubernetes
You now know how easily a hacker can take advantage of a misconfiguration in a Kubernetes deployment manifest. With Mondoo, there are multiple ways to detect this misconfiguration.
From the Mondoo Policy Hub you can enable appropriate Kubernetes policies. This allows you to run a static analysis of your Kubernetes manifests in Visual Studio Code or other environments. From there, Mondoo evaluates the manifests and sends the results to your terminal so you can review them in development. From Mondoo Platform, you can share these results with your team and collaborate. You can also use this process to scan your remote EKS clusters.
P.S. If you’re looking for continuous scanning of your Kubernetes cluster then check out our open-source Mondoo Operator for Kubernetes! The Mondoo operator provides continuous assessment of the Kubernetes cluster and infrastructure and can also act as an admission controller to the cluster.
Mondoo x Amazon EKS
If you’re running Kubernetes in a public cloud, it’s not just about Kubernetes. EKS, for example, is actually Kubernetes plus a collection of other services and infrastructure like Amazon VPC, EC2, KMS, and many more. Mondoo can connect directly to Amazon’s API to scan all of the services and resources in the account. Check out the video below to see it in action:
Built for DevOps
To put a bow on all of this, security is a shared responsibility. DevOps teams have a big role to play in finding and fixing those vulnerabilities and misconfigurations before they turn into disastrous situations for the business.
Mondoo is a security platform built for DevOps. We fit into each phase of the software development life cycle allowing teams to automate security without slowing down innovation.