Red Hat Delivers on Open Source Security Promise for K8s

At the KubeCon + CloudNativeCon Europe 2022 conference, Red Hat this week made good on a promise to make Red Hat Advanced Cluster Security for Kubernetes available as an open source project after acquiring StackRox last year.

Michael Foster, a principal product marketing manager at Red Hat, says rather than providing IT teams with open source modules that they must stitch together, Red Hat is now making a complete container security platform available to anyone via a GitHub repository. In general, organizations are starting to move away from “black boxes” to manage security in favor of open source platforms that make it easier to see how policies are actually executed and build a larger community of contributors, adds Foster.

A survey of 300 DevOps, engineering and security professionals published this week by Red Hat finds 93% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months.

Nearly half of respondents (46%) are most concerned about exposures caused by misconfigurations in their container and Kubernetes environments. More than half (53%) have detected a misconfiguration in the last 12 months. Most misconfigurations are attributed to developers with little cybersecurity expertise making mistakes as they provision IT infrastructure.

The survey finds that, to address that issue, more than three-quarters of respondents now have a DevSecOps initiative that is either in a beginning or advanced stage, with more than a quarter (27%) identifying themselves as being among the most forward-looking DevSecOps organizations. Only 22% of respondents reported that they continue to operate DevOps separately from security and only 16% have a central IT security team that is responsible for Kubernetes security.

Foster says the primary challenge organizations face is finding a way to secure Kubernetes-based software supply chains without slowing down the pace at which applications are built. The best way to achieve that goal is to provide developers with higher levels of abstraction that make it simpler for them to build and deploy secure applications within the context of a continuous integration/continuous delivery (CI/CD) platform, he adds.

It’s not clear to what degree open source security software will encourage more organizations to embrace DevSecOps best practices. However, as the cost of securing application development environments declines, the number of organizations that will look to improve the security of their software supply chains should increase. In the longer term, more organizations will also enable the signing of code using frameworks such as Sigstore, supply-chain levels for software artifacts (SLSA) and patterns defined by Red Hat, says Foster.

As more organizations build and deploy microservices-based applications, an opportunity arises to revisit DevOps processes that were first implemented to build monolithic applications. In theory, microservices-based applications should be more secure because it’s easier to rip and replace containers that might have inadvertently encapsulated a vulnerability than it is to patch a legacy application. That doesn’t mean those applications are inherently secure, but as DevSecOps processes are adopted the overall scope of the vulnerable attack surface should steadily decline.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1615 posts and counting. See all posts by Mike Vizard