Security in Kubernetes Application Development

Objective

• Explain the need for security with Kubernetes.
• Explains how security can be improved with well-established tools.
• Risks can be addressed though novel tools and techniques.
• Introduces Kubernetes Security best practices.
• Explains the usage of the available tools for Kubernetes Solutions.

What is SDLC?

Development teams use different models such as Waterfall, Iterative or Agile. However, all models usually follow these phases:

• Planning and requirements
• Architecture and design
• Test planning
• Coding
• Testing the code and results
• Release and maintenance

What is Secure SDLC and Why is Important?

Secure System Development Life Cycle is defined as the series of processes and procedures in the software development cycle, designed to enable development teams to create software and applications in a manner that significantly

• Reduces security risks
• Eliminate security vulnerabilities
• Reducing costs
• The process like the traditional Systems Development Life Cycle, is divided into a number of phases.

How to Secure SDLC?

• Developers usually performed security-related tasks only at the testing stage, resulting in discovering issues too late or not at all.
• With time, teams started to integrate security activities to catch vulnerabilities early in the development cycle.
• With this in mind, the concept of Secure SDLC started.
• Secure SDLC integrates activities such as penetration testing, code review, and architecture analysis into all steps of the development process.

Benefits of adopting Secure SDLC

The main benefits of adopting a Secure SDLC include:

• Makes security a continuous concern — including all stakeholders in the security considerations
• Helps detect flaws early in the development process — reducing business risks for the organization
• Reduces costs — by detecting and resolving issues early in the lifecycle

How Does Secure SDLC work?

Most companies will implement a secure SDLC simply by adding security-related activities to their development process already in place. For example, they can perform an architecture risk analysis during the design phase.

There are seven phases in most SDLCs although they may vary according to the methodology used, such as Agile or Waterfall:

• Concept
• Planning
• Design and Development
• Testing
• Release
• Sustain
• Disposal

SDLC in Action

Secure SDLC With Kubernetes

Investigation & Analysis

Investigation & analysis of a new Deployment in Kubernetes, includes task that governs the condition or requirement to meet a new product deployment in Containerized Environment.

• Kube-Bench can help at this stage to perform targeted Kubernetes Cluster security assessment with certified CIS(Center of Internet Security) benchmark. Once the environment is sanitized from security point of view, we can further proceed with Design and Implementation phase.

Design & Implementation

Design & implementation is the process of developing an executable system for delivery to the customer. Sometimes this involves separate activities of software design and programming. In Kubernetes Docker Image(s) and Manifest files are implemented at this stage.

• Kubesec can help to perform scanning of Kubernetes manifests for known vulnerabilities.
• Trivy can help to perform scanning of Docker Images for known vulnerabilities.

Test & Integration

Testing & Integration is defined as phase where software modules are integrated logically and tested as a group. A typical software project consists of multiple software modules. The interaction between these software modules when they are integrated in real time Kubernetes Environment could be tested at this stage.

• Seccomp can help to run pods in Kubernetes environment under restricted syscalls.
• AppArmor can help to apply profiles and ensure that the Kubernetes pods are running under restricted capabilities.

Maintenance

Software Maintenance is the process of modifying a software product after it has been delivered to the customer. The main purpose of software maintenance is to modify and update software applications after identification of faults and improve performance.

• Falco can help in continues auditing of Kubernetes Pods to detect threats for maintenance.

Proactive vs Reactive Approach Towards Security

Setting up a Secure SDLC can be divided into two major approaches:

• The proactive approach concerns preventing all possible flaws and breaches at the very beginning of the project, implementing solutions in a secure way.
• The reactive approach aims to ensure security before the release, and to maintain it throughout the product’s existence.

Example of Proactive Approach

• Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins.
• Many companies use cameras to record business activities, the idea being that cameras both deter theft and help identify perpetrators when thefts do occur.
• Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected.

Example of Reactive Approach

• Disaster Recovery Plans
• Use of private investigation services and loss recovery specialists
• Re-installation of operating systems and applications on compromised systems.
• Switching to alternate systems in other locations.

To Wrap-up Being Proactive is Being Secure

• It’s worth mentioning that the proactive approach is always preferred.
• The consequences of finding a bug are much less serious if the bug is discovered in the development stage, before release.
• It is cheaper, easier, and faster to fix the bug when the product is under development, which leads to the idea that security should be implemented on the very beginning of the project.
• The best option is to consider security before the actual development is even underway, to train staff on security practices.
• When people understand the importance of security procedures and how to implement them correctly, they are better able to keep their products secure.

Content Credit: Dr Nada Hany Sherief