Leveling Up Container Security with Security-as-Code
As more organizations adopt a microservices deployment model, they’re also adopting infrastructure-as-code (IaC) to streamline continuous delivery. IaC codifies configurations to automate the deployment and provisioning of services. But how about security-as-code? Some believe security policies should be described and embedded within the CI/CD process, as well.
Security-as-code comes along just as DevSecOps best practices also are emerging. And, amid growing container usage, engineers are turning to solutions like Kubernetes for orchestration and service mesh for handling cross-cutting concerns for microservices. Service meshes like Istio utilize Envoy Proxy, whose filter chain could be a suitable location to add additional declarative functionally, like security controls.
One example of a tool attempting to tackle this is Curiefense, an open source CNCF project. I recently met with Tzury Bar Yochay, CTO and co-founder of Reblaze, and Curiefense maintainer, to explore the security threats facing today’s container-based ecosystems. Below, we’ll consider what tactics Envoy-based frameworks can use to improve their security posture.
Security Issues At Large
Security is a pressing concern for all websites, APIs, services and microservices. A recent Salt Security study found 84% of companies suffer at least 10 API attacks per month and there’s been a 211% rise in malicious traffic over the last year.
For containers, threats like insecure defaults, misconfigurations, over-permissive states or leaked credentials are common existing vulnerabilities. In this climate, it’s vital to adopt a least-privilege rule, monitor traffic for malicious behavior and respond to zero-day exploits as quickly as possible.
Security Responses
As Bar Yochay describes, organizations really need to monitor traffic at the HTTP level and control the flow of applications. This can provide a 360-degree security perspective to protect against bots, look into cookies, check headers and analyze other risky vectors that could indicate malicious code, he says.
Security is a blanket term, and many cloud-native security projects are emerging to support zero-trust or network security. According to Bar Yochay, focusing on the application layer affords a unique method to drill into the session and context of behaviors.
Bar Yochay also emphasizes how open source is essential for arming infrastructure and sharing zero-day exploits. As I’ve previously covered, open source software is now fundamental to transformation efforts at many enterprises. Though it may sound contradictory, openness across the security spectrum is increasingly important to security.
Openness is crucial to, for example, sharing daily common vulnerabilities and exposures (CVEs) and reduce the window of time between a zero-day exploit and an associated software patch. Open source also brings collaboration advantages. “The beauty of open source is that it turns a feature request into a pull request,” says Bar Yochay. Open source efforts allow more room for contributions from external developers to resolve bugs and propel a project forward. Thus, Bar Yochay recommends using security tools with open source foundations and open standards when applying security-as-code practices.
Extending Envoy Proxy
Envoy, now a graduated open source CNCF project, is growing in popularity within new production environments. Since Envoy powers many frameworks, an Envoy extension could be applied to an application sidecar, an ingress gateway and/or an edge proxy, among other use cases. Thus, building on Envoy could enable a wider distribution.
Recent efforts to extend Envoy also underline the composable nature of modern software ecosystems. “In an era of APIs and connected services,” Bar Yochay explains, “making everything extendable and composable is a key for success.”
Outside of cybersecurity, the excitement around Envoy is igniting development into other filter chain capabilities. For example, as I covered recently, others foresee the Envoy filter chain being used as an API gateway to bring north-south traffic to service mesh. Bar Yochay agrees that implementing API gateway functionality through an Envoy filter chain is totally possible — take Ambassador as evidence.
Making Security-as-Code Simple and Effective
“One of the key success for sustainable security is simplicity,” says Bar Yochay. “If a solution is not easy to use over time, then things will be left as they were on day one.”
To mount a solid defense, security tools must be developer-friendly. Strategies like improving the developer experience, reducing alert fatigue and providing low-code UI-based controls are some oft-cited ways to make developer-facing tools simpler to use.
Bar Yochay adds that developer-centric tools should fit into existing workflows by adopting a GitOps-based approach, enabling developers to integrate security more seamlessly within existing DevOps pipelines. This would present a novel way to introduce cybersecurity at the same level as infrastructure-as-code.
The Future of Security-as-Code
Today’s cloud-native software needs a solid cloud-native security response. With Envoy growing in ubiquity across various service meshes and frameworks, some consider it a reasonable component to extend with security-as-code functionality. This would help locate threats and introduce role-based policies to protect Envoy-based frameworks.
Regardless of the precise implementation, companies will inherently need to adopt better security footholds to respond to increasing attack vectors. Since DevOps teams have already conquered a means to scale and orchestrate vast networks of containers quickly using pre-configured settings, now, it makes sense that the next paradigm would involve automating security policies in a similar way.
“The world has CI/CD — now the world now needs continuous security,” says Bar Yochay.