Kubernetes and cloud-native computing are at the epicentre of a tectonic shift in the last decade toward enterprise use of open source software — and all the security issues that entails. This open source transformation isn’t happening in stages: In the 2022 edition of Synopsys’ annual “Open Source Security and Risk Analysis” report, four of the 17 industry sectors use open source in 100% of their codebases; the remaining 13 industries use open source in 93 percent to 99 percent of their codebases.
Meanwhile, a series of high-profile breaches in open source code have shown the far-reaching cybersecurity ramifications of its labyrinthine supply networks since the SolarWinds hack in late 2020. The Log4j vulnerability, discovered in late 2021, revealed how open source libraries wrapped in other dependencies might be leveraged in potentially devastating and difficult-to-detect assaults, as businesses struggled to determine whether and where vulnerable libraries were installed in their systems.
According to the Synopsys analysis, Kubernetes remains a relatively safe sanctuary against this backdrop due to its big, highly invested community. However, the Kubernetes ecosystem includes a slew of additional open source components, including small, single-developer projects whose upkeep – or lack thereof – can put the platform at risk.
“GitHub has millions of projects in which the number of developers is in the single digits,” according to the Synopsys report. “One of the takeaways from Log4Shell’s discovery should be the need to create a path to mitigate the business risk associated with using open source software. The important distinction here is that open source itself doesn’t create business risk, but its mismanagement does.”
Supply chain risks = Kubernetes + automated deployments
SolarWinds’ CI/CD process was hacked, and other recently discovered open source security flaws took advantage of automated deployment and update techniques that were exploited by researchers to deliver malicious packages.
One such vulnerability, demonstrated by a researcher in February 2021, installed malicious code in an official public repository, under the same package name as popular dependencies, according to the 2022 “Cloud Native Threat Report” issued on April 20 by container runtime security provider Aqua.
“By giving his malicious packages version numbers that were higher than the authentic ones, [the researcher] tricked build processes into automatically downloading and incorporating the malicious dependency,” the Aqua report stated.
Other researchers submitted 150 similar packages into NPM alone after this original research was published; Aqua’s scans of 30,000 Python packages revealed more than 170 that included suspicious or malicious functions.
Attackers targeted Kubernetes 10% more frequently in 2021 than the previous year, but it paled in compared to the 300 percent increase in software supply chain attacks, according to Aqua. However, because the Kubernetes platform is so widely used among organisations connected via cloud APIs, when attackers discover vulnerabilities that might be used to breach it, it can have far-reaching consequences.
As a result, early in the development process, Kubernetes security policies must cover raw code and base container images, a procedure known as “shifting left.”
“You have to start from the beginning, when code is being created and you’re integrating these open source libraries into your [applications],” said Janet Worthington, an analyst at Forrester Research. “And it’s not just a point-in-time thing, because open source libraries can come into your project at different times, and a zero-day [vulnerability] can be found at any time.”
Kubernetes security connects with another another, bigger industry issue here: well-intentioned but wrong shift left tactics can quickly overwhelm developers, causing misconfigurations and other issues. Many developers are overwhelmed dealing with open source software due to increased security issues, according to the “2022 Open Source Software Supply Chain Survey” published April 13 by open source support vendor Tidelift.
“We’ve been asking similar questions for several years in these surveys, and every year, the top three challenges named by respondents are related to maintenance, security, and licensing,” according to the Tidelift report. “In our earlier survey, maintenance had been the #1 challenge, but this year — unsurprisingly — security took over the top slot.”