The first-ever Kubernetes Bill of Materials (KBOM) standard was published by the Kubernetes Security Operations Centre (KSOC).
This KBOM, which is available in an open-source CLI tool, helps cloud security teams comprehend the extent of third-party tooling in their environment so they can react more quickly to newly discovered vulnerabilities, which have been occurring more frequently lately. Despite the substantial third-party tool ecosystem for Kubernetes, compliance rules for the software supply chain have mostly been disregarded.
Numerous Kubernetes tools, including Crossplane (ranked High), the Jenkins plugin (rated Medium), CubeFS, and Clusternet, now have new vulnerabilities. Although the Software Bill of Materials (SBOM) has advanced to the point where it is an official part of the NIST requirements required by the US government in federal purchases, this requirement falls short of the deployment stage in the application development lifecycle, where Kubernetes comes into play.
A standard for the overall scope and configuration of a cluster is becoming necessary as teams continue their widespread use of Kubernetes. This uniform view can also aid in efficiency for companies that are understaffed and when Kubernetes expertise is already in short supply, as security and platform engineering teams swiftly and extensively describe their Kubernetes deployments to outside parties.
Although Kubernetes has a strong adoption rate, 34% in 2022 is a relatively low adoption rate when it comes to security. Having a clear understanding of the scope of the environment itself is one of the main obstacles to communicating with any third party or stakeholder about enhancing security in a Kubernetes environment.
“Kubernetes is orchestrating the applications of many of the biggest business brands we know and love. Adoption is no longer an excuse, and yet from a security perspective, we continually leave Kubernetes itself out of the conversation when it comes to standards and compliance guidelines, focusing only on activity before application deployment,” says KSOC CTO Jimmy Mesta.
“We are releasing this KBOM standard as a first step to getting Kubernetes into the conversation when it comes to compliance guidelines. We also hope others will join in to contribute so the practitioners running their business-critical apps on Kubernetes have practical tools to help with security,” Mesta adds.
