Snyk Launches Tool to Address Kubernetes Configuration Issues
Snyk, at the at the online KubeCon + CloudNativeCon Europe 2020 conference this week, launched a tool that discovers and helps remediate misconfigurations in Kubernetes clusters that were deployed using the open source Terraform tool.
Aner Mazur, chief product officer for Snyk, says Snyk Infrastructure as Code (IaC) addresses a problem that has become a major issue as cybercriminals exploit default settings to compromise container applications.
As one of the most complex IT platforms ever created, Kubernetes provides developers and IT teams with lots of opportunities for misconfiguration. Many developers that don’t have much cybersecurity expertise are liable to deploy Kubernetes using insecure default settings, notes Mazur.
Designed to be primarily employed by developers, Snyk IaC highlights issues directly in the configuration code and as part of standard Git workflows, he says. Developers will be able to merge fixes without any guesswork.
At the same time, Mazur says cybersecurity teams will be able to work more closely with developers to define and implement cybersecurity controls within a Terraform workflow as organizations embrace best DevSecOps practices. That’s critical because the workflows as they exist in most IT organizations for developers and cybersecurity teams are dramatically different.
To facilitate adoption, Snyk IaC will be available both for free and via a commercial add-on to Snyk Open Source and Snyk Container that provide additional features for teams and larger organizations. Snyk Container, a standalone scanning tool for Kubernetes environments, was launched late last year.
It’s not clear to what degree the adoption of container applications that are largely deployed as microservices will force the DevSecOps issue within organizations. In theory, at least, responsibility for securing both microservices and the infrastructure they are deployed on is shifting left toward developers. However, while developers may be responsible for implementing security controls, most of those security controls will be defined by cybersecurity teams that also will need to verify they’ve been implemented.
Ideally, developers will have discovered configuration issues using tools such as Snyk IaC long before they surface in a list of issues presented to developers by a cybersecurity team. In the interest of building and deploying applications faster, the goal for DevOps teams should be to have as minimal the number of interactions with a cybersecurity team as possible.
It may be a while before cybersecurity teams fully trust developers to implement the appropriate security controls. The single biggest concern with cloud security is not the capability of the platform as much as it is configuration issues that result in ports being left wide open. It’s usually not very long before cybercriminals are exfiltrating data via those open ports.
Most cybersecurity teams are also not especially optimistic when it comes to preventing developers from encapsulating modules of code with known vulnerabilities in containers as they race to build applications. There may be a desire to trust developers more, but verification is still critical.
Cybersecurity in cloud-native computing environments is fundamentally different than it is in legacy monolithic environments. The challenge is getting everybody in the IT organization on the same page of a new cloud-native security playbook.
