By Joe Fay
Security high on the agenda for the cloud and software supply chain world.
The open-source cloud native world assembled in Amsterdam recently for the Cloud Native Computing Foundation (CNCF) Kubecon, where supply chain security and tools overload were both on the agenda.
One key announcement at the Kubernetes conference was the unveiling of a fully-fledged v1.0 of SLSA (Supply Chain Levels for Software Artifacts), the Google originated supply chain security framework which is overseen by the Open Source Security Foundation.
SLSA is targeted at the source and build steps of the software delivery lifecycle. The new release establishes multiple “tracks” covering build, source, and dependencies, which the organization says will make it easier to adopt, along with more explicit guidance on verifying the provenance of components. Further tracks and levels likely in future releases.
The OpenSSF is also shepherding the Secure Supply Chain Consumption Framework, originated by Microsoft last year, towards v1.0. which will address the consumption element.
Addressing Open-Source Security
The challenge around managing open-source security was illustrated by the CNCF itself, which unveiled a third-party audit of Kubernetes. This highlighted 19 issues with the container management system, six of them classed as medium risk, nine as low, and four as “informational”.
These included “concerns with the administrative experience as it relates to restricting user or network permission.” Meanwhile, flaws in user input “sanitization” could allow “a restricted form of authentication bypass by modifying the request made to the etcd datastore.”
“Flaws in inter-component authentication which allow a suitably positioned malicious user to escalate permissions to cluster-admin,” were also noted along with “Weaknesses in logging and auditing which could be abused by an attacker.”
While the Kubernetes project has “demonstrated” efforts to improve security, the report said, “A number of findings from the previous audit performed against Kubernetes version 1.13 remain open or unfixed.”
An Imperfect Jewel
It’s perhaps not surprising that even the crown jewels of the cloud native world should exhibit flaws. Tool and project overload was a recurring theme at many Kubecon sessions, along with concerns on whether enough new contributors and maintainers were stepping forward to keep projects on the road.
This was highlighted in GitLab’s latest DevSecOps report. The figures showed that 56% of respondents – spanning security, app development, and ops – were using DevOps or DevSecOps methodologies, up from 47% a year ago.
The report concluded that security professionals increasingly feel “part of a cross-functional team” with 70% of security pros saying that a quarter or more of security vulnerabilities are spotted by developers.
However, it was clear that security respondents’ tool chains are getting more complicated, with 57% saying they were using six or more. As a result, 28% of security respondents said maintaining tool chains made it difficult to keep on top of compliance, and 27% said it was difficult to have consistent monitoring.
GitLab chief product officer David de Santo, said by comparison, the number of tools used by developers and operations professionals is going down. “I think that's a sign of a future consolidation that will eventually occur. But it hasn't happened yet.”
In the meantime, he said, “I think it's impacting the security team's ability to deliver against their goals.”