Aqua Security is trying to level the container security playing field by making available an open source edition of a penetration testing tool designed specifically for container clusters.
Rani Osnat, vice president of product marketing for Aqua Security, says kube-hunter is an automated penetration testing tool that developers and cybersecurity teams can employ to discover vulnerabilities within containers.
That tool is designed to be run in two modes. Passive hunters run by default and are designed to execute a series of tests that probe for potential access points within your cluster. An active hunting mode then can be employed to execute additional tests against any weaknesses found with the passive hunter. Results from those tests are then shown on a website hosted by Aqua Security.
The kube-hunter project augments the validation for Kubernetes deployments based on specifications developed by the Center for Internet Security (CIS) that are already provided via Aqua Security’s kube-bench project. Aqua Security is hoping that other organizations will contribute additional penetration tests to the project, Osnat says.
Aqua Security is drawing a distinction between open source and commercial container security testing software as follows: If the software is designed to discover container vulnerabilities than it should be shared as open source code. But container security software such as the Aqua Container Security Platform will continue to be licensed as commercial software, he says.
The company is aware that cybercriminals might use this tool to probe for cybersecurity weaknesses as well. But most cybercriminals already have access to a plethora of penetration testing tools. By making kube-hunter widely available, Aqua Security is attempting to provide organizations access to a tool that makes it easier for them to discover container vulnerabilities before cybercriminals can exploit them.
As is often the case with any emerging technology, security concerns tend to hinder adoption. Most cybersecurity teams are not yet armed with tools specifically designed to monitor and secure containers. By making available penetration testing tools available as open source code, Aqua Security is trying to expand the base of cybersecurity teams that are exposed to container security technologies. Of course, given the rate at which containers are now being employed across the enterprise, it’s only a matter of time before container security technologies become more widely employed in both testing and production environments.
The challenge most organizations soon will be wrestling with is ascribing roles and responsibilities for container security within the context of an integrated set of DevSecOps processes. Developers are being held more accountable for security. But given the number of containers that constantly are being introduced and replaced, it’s easy for developers to inadvertently make a mistake by for example leaving a port open or including a library of code that has known vulnerabilities. It remains the responsibility of the cybersecurity team to ensure that cybersecurity policies are enforced and best practices are followed. After all, these days it takes cybercriminals only a few seconds to exploit vulnerabilities they now can find in a matter of minutes.