Forem: Lacework

5 tips to help you secure your Kubernetes deployments

Allie Fick Lavin — Tue, 07 Nov 2023 15:31:20 +0000

Are your Kubernetes deployments secure?

Developers creating cloud-native apps that run in Kubernetes are now tasked with much more than just coding. From defining the Infrastructure as Code (IaC) to managing role-based access control, every decision you make impacts security — and this can get complicated quickly.

Here are a few tips to help you ace Kubernetes security:

✅ Scan code and IaC

All code must be validated while you are writing or committing it to a project. Conduct static application security testing on your code. But don’t stop there. Scan Dockerfiles, Helm, and even Terraform files for misconfigurations.

✅ Continuous integration (CI) is key

CI isn’t just for ensuring your app works. Integrate security checks for both source code and the compiled application. For example, when building a Docker image from a Dockerfile, you need to also assess the security of the OS and software packages that will be included in the image.

✅ Deploy with confidence

Before that final deployment, utilize Kubernetes' admission controller. This little gatekeeper ensures nothing unauthorized sneaks past into production. And if you're not quite ready for an admission controller, the Kubernetes audit logs will be your eyes and ears for potential risks.

✅ Never sleep on runtime monitoring

Think deployment's the end? Think again. During runtime, you’ll need to look for misconfigurations in managed Kubernetes environments, like EKS and GKE. Stay alert for any new application behaviors like unexpected connections or sudden file writes. Make sure to baseline normal application behavior, and be quick to spot unusual behavior.

✅ Look closely at audit logs

Kubernetes security posture management tools are an important part of a defense-in-depth approach to Kubernetes security, but they’re not the be-all-end-all. Why? They can overlook application behavior and miss threats right under their noses. The key? Look closely at Kubernetes audit logs to understand the specifics of each resource and see the real-time activities in your environment, rather than just the potential risks.

Read this blog for more K8 best practices.

What are your best tips for securing your cloud-native apps in Kubernetes?

The role software developers play in the cybersecurity space

Kedasha — Thu, 10 Mar 2022 19:54:49 +0000

Cybersecurity is the intentional practice of securing networks, data, and devices from unauthorized users. With the growing increase in cyberattacks and security vulnerabilities (most recently, the Log4j vulnerability), it’s becoming increasingly important for developers to understand how to secure applications and think like cybercriminals to prevent these attacks from severely harming customers.

As software developers, we have a unique opportunity to be one of the first lines of defense against cyberattacks. The software development lifecycle focuses on implementing core functionality in software and applications; code quality and security is often an afterthought. However, our understanding of core cybersecurity principles can make or break the applications that we build.

Since 2003, the Open Web Application Security Project (OWASP) has highlighted the 10 most critical security risks to web applications via OWASP Top 10 list. This is “globally recognized by developers as the first step towards more secure coding.” However, some of the same vulnerabilities appear year over year with little to no improvements on the quality of software code being deployed to production environments.

Organizations deem it unacceptable for software teams to knowingly ship products with functional defects. It is time for organizations to also find it unacceptable to ship products with security defects. Security starts and ends with us - the developers. Unless a software team intentionally focuses on code quality and security, vulnerabilities will find their way into shipped products, and cybercriminals will exploit those vulnerabilities.

As developers, we can help prevent cyberattacks by proactively implementing security controls in our code. We can accomplish this in the following ways:

Take the time to resolve high-severity alerts by keeping packages and dependencies updated. We can use tools like Renovate and WhiteSource to automatically scan for updates.
Identify and understand the typical vulnerabilities for our tech stacks. We can use a tool such as the CVE to search for vulnerabilities in the software that we use.
Test for what our code is and is not meant to do.
Upskill by taking security courses on platforms such as Udemy. For example, this course teaches cybersecurity for developers.
Understand how to perform security testing such as vulnerability scanning and penetration tests. There are many tools available to automate this.
Review the OWASP Top 10 list to understand the most common security attacks and how to prevent them.
At the very least, be familiar with the following three attacks:
- Broken access control
- Cryptographic failures
- Injection attacks

We control the security of the software and applications we build with code. Understanding cybersecurity is important because it protects the users and intellectual property of the companies that we work for.

Come learn security with me in the Lacework Community, where I’ll cover fundamental security topics for software developers.

What I Learned About the Log4j Vulnerability

Tessa Kriesel — Tue, 21 Dec 2021 13:37:49 +0000

I was excited to join Lacework for many reasons, but one of the most important was that it provided me with an opportunity to teach developers about security. Developers complete many different courses and training to prepare them for their careers, but security is often an afterthought. There is a subset of us writing lines and lines of code each day, without the background knowledge to ensure that code is secure.

You’ve likely heard the Log4j vulnerability mentioned over the past few days, or seen the memes floating around the internet—and if you’re like me, or not a Java dev, you may be wondering what it is and why so many people are concerned about it. Distinguished Cloud Strategist Mark Nunnikhoven broke it down in an easy-to-understand 4-minute video, which helped bring things into perspective. Log4j is an open-source library that developers use to help figure out what's going on with their applications that are written in the Java programming language. The reason why you’re hearing about it now is because there was a serious security issue and attackers could easily use one of the library’s features to run their code on your systems, and those attackers want to do that to profit from your resources and data. I’ve heard so much information about this over the past few days—to narrow it down for you, here the things that I think are most important for developers to know:

You’re likely only affected if your projects are written in Java.
If you use Java, you should go through your Github repositories and check to see if they include Log4J.
Use an open source vulnerability scanning tool to figure out if specific systems are affected. Jfrog released a tool that can help you determine if your code includes Log4j and a script that helps you find where Log4j is within your code.
It’s important to understand why this vulnerability is a big deal. The attack is so damaging because it’s constantly changing—it’s not a one-time thing. Even when you think you’ve resolved it, there are updates to the software and therefore more vulnerabilities and attacks.

We know what it takes to maintain software. Especially during a vulnerability. Our team believes in the power and benefits of open-source software—we recently donated to the Log4j project committers and the Apache Foundation to support those maintainers working tirelessly behind the scenes. Hopefully this additional backing, along with the support of other developers and companies who are committed to finding a resolution, will help us reach the end of this challenge sooner rather than later.

If you’re interested in learning more about the Log4j vulnerability, this post about the human toll of Log4j maintenance provides a helpful overview and timeline of what’s occurred over the past few days.

// Detect dark theme var iframe = document.getElementById('tweet-1473370596985610243-954'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1473370596985610243&theme=dark" }

How will Lacework’s acquisition of Soluble benefit devs?

Tessa Kriesel — Fri, 12 Nov 2021 14:09:41 +0000

I’m absolutely thrilled about Lacework’s newest announcement—we just acquired Soluble, a startup whose mission is to help security and operations teams leverage IaC to scale cloud operations and security for businesses of all sizes. I’m especially excited about what Lacework’s incorporation of the Soluble technology means for devs like yourselves. There are countless benefits, but these are the three that I’m looking forward to the most.

Security and dev teams can quickly and efficiently address problems

IaC is quickly becoming the primary mechanism to manage cloud infrastructure at scale. This shift increases both velocity and risk—to keep up, security and development teams need to quickly address the resulting vulnerabilities or misconfigurations. Integrating the Soluble technology into Lacework’s platform and teaming with Soluble’s experts prepares us to shift further left into developer workflows.

Integration is simple—connect with Lacework through Git

Lacework can directly and quickly reach developer audiences. Soluble helps Lacework make security issues easier to solve by correlating cloud misconfigurations to IaC and enabling remediation at the source via pull requests. This expands Lacework’s platform to the places where developers are writing their code: directly in the UX/CLI/GitHub and GitLab. For developers to integrate with Lacework, they simply need to connect through Git.

This facilitates security/operations teams and developer partnerships

Soluble shares Lacework’s vision to build a modern, data-driven approach to cloud security. Implementing Soluble’s capabilities to the Lacework platform helps security and operations teams shift further left and partner with developers so they can manage applications and infrastructure efficiently, securely, and reliably.

I’d love to hear your thoughts on this acquisition in the comments below👇.

This One Mistake Will Stop a DevSecOps Shift Left Strategy Dead in Its Tracks

Mark Nunnikhoven — Wed, 10 Nov 2021 18:30:00 +0000

DevSecOps is the latest in a long line of buzzwords. The core makes sense: work on security earlier. But why isn’t this everywhere? Here’s the biggest mistakes teams are making trying to “do” DevSecOps.

Learn more in the video 👆 or read through the transcript 👇.

Transcript

I see security teams making the same mistake over and over again when it comes to “shifting left.” It’s frustrating from afar and infuriating when you have to deal with it day-to-day.

Let’s dig in to the disaster that is DevSecOps…

[00:15]

Imagine for a minute, you’re in your kitchen preparing dinner. You’re a reasonably good home cook. More often than not, what you put on the table is enjoyed by those you’re sharing with it.

Sure, every once and a while you miss. But that’s the rare case, so when it does happen everyone smiles, you laugh, and then place an order for take out. Mistakes happen.

Not too bad, right?

[00:29]

Now, let’s say while you’re getting ready to sit down for a wonderful home cooked meal, you neighbour invites themselves in. They immediate start hammering you with questions like, “How sharp is that knife?”, “Do you know who grew that broccoli?”, “Are there too many ovens in this neighbourhood?”

Taken aback, you politely ask, “Um, are you a professional chef? Do you have a lot of experience cooking?”

They reply, “Oh no, I don’t even have a kitchen in my place. I just order food every once and a while.”

That’s basically the scenario I see play out in organizations around the world.

The development teams and builders are working to solve business problems and address customer needs.

Then the security team shows up out of no where and starts asking seemingly irrelevant questions and demanding that priorities change in the name “reducing risk” and “improving the overall security posture” without understanding what you’re working on or how you work.

[01:37]

This is why even the name DevSecOps frustrates me to no end. The DevOps philosophy already assumes that you want to build a resilient, reliable system. There’s no need to jam another acronym in there.

Teams know that security is important, they just need the information and support to make smart decisions at the right time.

So is this whole “shift left” thing doomed?

No.

Not if you do it well.

[02:06]

If you’re on the security team, the first thing you need to understand is that you probably don’t understand how the builders are working.

You can fix that.

Spend some time with them. Ask lots of questions to better understand their workflow and concerns.

Most important of all, make sure that the information from security tools that shift left provide information with the proper context and enough data for teams to make an informed decision.

[02:34]

Just because it’s a security priority, doesn’t mean it’s a business priority.

For developers and builders, understand that security controls can provide real value to you. The whole goal of these controls is to make sure things work as intended.

Network security tools look for malicious activity and malformed traffic. You don’t want that anywhere near your app.

Threat detection on your servers and containers is looking for errant processes and other indicators of compromise. This makes sure that your resources are only working for you instead of doing things like mining cryptocurrency for cybercriminals.

Posture management—ugh, horrible name—looks at the cloud services you’re using to make sure that you have configured them in a way that matches your risk appetite.

Vulnerability scanners look at your tech stack trying to find known issue before so they don’t bite you in the you-know-what.

[03:26]

Everything on this list and most of the other security controls out there can dramatic HELP you meet your goals.

With that understanding, you need to make sure that you have access to the outputs of these tools. You need to know that they are in place and doing their job, so that you can focus on other parts of yours.

By now, you’ve figured out that the number one mistake I see security teams making when they “shift left” is IGNORING the developers and builders.

For some reason, security teams assume that to “shift left” means doing their isolated security work earlier in the development process. That’s an archaic way of thinking.

[04:05]

To truly shift left, you need to leverage the capability of security tools and processes to help developers and builders identify risks with their systems earlier in THEIR processes.

This data will help the teams make informed decisions about what actions should be taken to meet the business goals.

Shifting security left can help reduce the risks to the business while improving the quality of the systems your build.

Who wouldn’t want that?

Lacework VS Code Extension

Jeff Thorne — Tue, 09 Nov 2021 22:54:00 +0000

The Lacework VS Code vulnerability scanner extension is a new plugin that will quickly identify vulnerabilities in your base images right from your IDE. This is a first step and alpha release with expanded and additional capabilities to be released soon.

This blog covers how to install lw-scanner and leverage it to perform image assurance scans from within VS Code.

Install lw-scanner
The plugin assumes that lw-scanner is installed on your local system. Installation instructions can be found here: support.lacework.com and the the latest release of the scanner binary can be found at github.com

Once lw-scanner is installed the next step is to download the Lacework plugin from the VS Code Marketplace.

With an active Dockerfile in the editor you can initiate an image assurance scan by clicking Command+Shift+P on macOS (Control+Shift+P on Windows/Linux).

Once the scan is complete you will see a summary next to the base image that will disappear along with a more detailed scan result available in the output window.

Source code can be found here for now: github.

This is just a quick preview update. For suggestions or feedback please open an issue on the repo. PRs welcomed. Stay tuned for more.

Cheers,
Jeff

Celebrating CascadiaJS

Jess West (she/her) — Mon, 01 Nov 2021 23:19:07 +0000

Hey friends! We are super pumped to announce that the FIRST developer conference we’re attending as a Developer Experience team is something near and dear to (my) heart, CascadiaJS. CascadiaJS is a conference that has been traditionally based in Pacific Northwest (PNW). Last year, it went virtual, which brought together developers across the world, literally. This year, the conference team has tackled a new challenge: a hybrid event. We know how much goes into conferences like this and we couldn’t be more thrilled to support this community. In our minds, community is all about supporting and learning from each other. As we build our community for Lacework, we want to learn from the folks at CascadiaJS about how we can best support their needs.

A handful of us will attend and listen to what is happening in the community and we’d love for you to say hello! Our team will be attending virtually and in-person, so we hope to run into you and help cheer on our fearless speakers and organizers.

👾 Vatasha White
🏍 Tessa Kriesel
🎤 Jessica West

Now, we all know the real networking happens at the after-party, so we of course wanted to help be part of that community experience. We are proud to be sponsoring karaoke this year! Does anyone know any cool security karaoke songs? Asking for a friend… See you there!

Stop Your Password From Opening The Door To Hackers

Mark Nunnikhoven — Fri, 22 Oct 2021 16:52:53 +0000

It's cybersecurity awareness month and we all should be doing out part to #BeCyberSmart.

The one thing I see people struggling with the most is using passwords and I get it.

A lot of what we've been subjected too about passwords is wrong and actually makes things less secure. Making matters worse, security folks—myself included!—aren't known as being the most communicative.

So, I set out to demystify passwords. In the video above 👆, I walk through how passwords are attacked, the UX around them, what makes a truly strong password, and finally I lay out a practical path for dealing with the mishmash of systems out there.

Here in this post, I'll give you the highlights...

Strength

A strong password is a long password...or more probably, a passphrase.

Length is the single most important factor in determining the strength of a password.

The second most important factor is the variety of characters you pick from (so, not just a-z). That's the reason for those crazy password rules we're all so familiar with.

Start thinking pass*phrase*, not password.

Old Rules

Those old rules I mentioned 👆? The whole "at least one capital letter, a number, a symbol, and be at least 8 characters long" thing?

Those rules actually lead to weaker passwords.

Thankfully the most commonly used guidelines were updated in 2017 but a lot of systems are still behind the times. That means we still have to deal with them. 😔

Password Manager

In addition to dealing with those older systems and rules, we also need different passwords for every site and app we use.

Why? Because it reduces your risk if one of those sites is hacked or has a breach.

One of the first things cybercriminals do when they get new credential sets is test them against popular sites.

But keeping track of all of those passwords is a pain. The solution is to use a password manager.

Which one doesn't matter much. Just make sure it runs on all of your preferred devices and has a nice user experience.

That's going to keep your passwords safe and sound...and generate long, gibberish passwords for any new logins.

Taking things a step further, the manager will actually log you in to those sites and apps when needed.

One Password To Rule Them All

To keep all of those passwords in the manager safe and secure, you'll need a password (couldn't avoid them completely 🤣).

Thankfully, almost all password managers are up to date on the rules and we can use a passphrase here.

This passphrase is only going to be used with your manager and you should only change it when you think someone might have figured it out or about every year or so.

Remember, this is the only password you're going to be typing in yourself. Make it a good one!

Here are some simple guidelines to follow to create a really strong and easy to remember passphrase:

use a random word generator to select at least 4 (more if you can) truly random words
throw in a symbol or number (or both) just because

Boom. Easy to remember, super strong password.

Something like: polite2vacuumcensusmonkey!narrowfrozen

polite 2 vacuum census monkey ! narrow frozen

Not only is that a fun passphrase (which I swear was randomly generated) but it's easy to remember and crazy strong.

Stay safe out there and #BeCyberSmart!

We're Lacework. We care about security.

Tessa Kriesel — Thu, 21 Oct 2021 15:35:32 +0000

You might be worried that this is another brand trying to get a foothold in a community. It’s not. Of course, that’s what we’d say even if it was, so let’s lay out how we’re going to show you it’s not.

Who Is Lacework?

We’re a team building out a data-driven security platform specifically aimed to help others teams understand their cloud environments.

What Lacework does

Pulls in a ton of data from what’s happening in your environment
Throws it through a bunch of enrichment, clean up, and modelling
Then highlights anomalies, misconfigurations, and other outliers

The goal is really to give you the context about behaviors in your builds so that you can make informed decisions.

The platform aims to answer the ‘simple’ (ha!) question of, “This happened, do I need to worry about it?”

Why Should You Care?

“This happened, do I need to worry about it?” is a critical question. Mistakes and misconfigurations are the number one problem when it comes to security in the cloud. Sure, there are lots of other “cooler” things happening but they are not nearly as common as those pesky mistakes.

While we’re building out this platform, we’re learning a ton about how devs like yourself view security and how teams approach those challenges.

We’re here to help explain the latest challenges around security, why it’s important, and how you can start to think about security-by-design when you’re building.

If that sounds complicated, it can be but at the end of the day, it’s really just about constantly asking yourself, “What else can this do?”

Asking yourself that one question goes a very long way to addressing a lot of security concerns.

What’s Next?

We plan on publishing content here around security best practices, security thinking, current news/issues, and other fun stuff to help you level up your security skill set.

That goes for everyone. We’re tired of people thinking that all security work is based on some esoteric branch of a long lost mystic art. Security is something we can all think of and it’s critical that we do.

We’re all building things that people use everyday and then expect those builds to work as expected…and only as expected.

Our team has a ton of ideas of what to publish here but we’d love to hear what you want to learn about. Let us know in the comments below 👇.

Thanks for having us in the community,

The Lacework Team

@jesswest
@tessak22
@marknca
@acd37
@danakn144
@pedigo36
@jeffthorne
and more yet to join us here!

OPA @Lacework

Jeff Thorne — Tue, 17 Aug 2021 22:19:52 +0000

There is always a ton of innovation and exciting things happening in the Kubernetes community. One of the CNCF projects we are super excited about over here at Lacework is Open Policy Agent which has seen tremendous interest and adoption over the last 18months. If you’re not familiar with OPA it is a unified toolset and framework that can be used for consistent policy decisions across your cloud native stack. In 2020 alone the OPA project had over 35 million downloads and officially became an CNCF graduated project on Feb 4th, 2021.

What really makes this project special is it’s open governance and that organizations can leverage their existing investment and skillset around policy in many facets of their cloud native stack. Lacework is committed to embracing OPA so that our customers can drive policy decisions in many parts of our platform.

Where are we starting with our OPA support? No place better than in build. This will allow us to offer an enriched developer experience, deeper insight, software supply chain governance, and flexible decision making prior to application delivery.

Ok enough of the fancy terms. Let’s get to the nuts and bolts of our current integration efforts. Lacework is currently in the process of launching a k8s security toolkit called Helios named after the greek titan of the sun and guardian of oaths. So how does OPA fit into Helios? One of Helios’ components is a k8s admission webhook that allows for policy decisions to be made at time of deployment through pod interception with OPA and Lacework image assurance.

Admission webhooks intercept requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. At a high level they offer admission control which governs and enforces how the cluster is used. Let’s take a look at how this works in action as seen in figure 1.

Figure 1 - High level architecture of k8s admission webhook

When the application or pod is deployed in step 1 and after the request has been authenticated and authorized it is passed the admission webhook which can be both mutating or validating for processing in step 2. From here the helios webhook will then lookup image assurance scan results with the Lacework platform for the image in step 3. This lookup is performed with the image SHA and if not found an on-demand scan can be initiated. From here in step 4 the scan results json object is sent to an OPA endpoint for a policy decision.

Then based on the results received from the OPA endpoint the pod or deployment is either allowed to be provisioned or is blocked. This result along with any error message received from the OPA endpoint is passed to the kube API server for processing.

We can see the results of this in action below in figure 2. The top terminal is an attempt to circumvent an approved organizational CI/CD pipeline and directly deploy application changes from kubectl. The bottom terminal is a tail on the Lacework Helios admission webhook. We can see that the pod deployment has been intercepted while image assurance results are validated against an OPA endpoint. Based on the vulnerability surface in this image the deployment was ultimately blocked from entering this cluster.

Figure 2 - Pod interception and OPA validation of scan results

These types of checks and best practices can also be integrated at build time through a variety of plugins to well know CI/CD tools. In figure 3 we can see a Jenkins pipeline blocked through an arbitrary policy written in Rego and validated in build against Lacework’s image assurance scanning results. Figure 4 displays a portion of the resulting build artifact.

Figure 3 - Custom OPA policy in build driving pipeline decisions

Figure 4 - Resulting build artifact displaying scan decision and policy ID

These are just a couple of quick examples demonstrating the power and flexibility of using Open Policy Agent to enforce policy decisions at various stages in your build to deploy pipelines. In this article we covered how Lacework is integrating OPA into our k8s admission controller and CI/CD plugins. Stay tuned for more info on our OPA and other tech initiatives.