The discovery of a significant container-based (runc) exploit sent shudders across the Internet. Exploitation of CVE-2019-5736 can be achieved with "minimal user interaction"; it subsequently allows attackers to gain root-level code execution on the host. Scary, to be sure. Scarier, however, is that the minimal user interaction was made easier by failure to follow a single, simple rule: lock the door. Studies have shown an increasing number of publicly accessible, containerized environments that require no credentials. That means anyone – maybe you, maybe me – could gain control and deploy the appropriate malicious container required to gain root-level access. We know that speed (of delivery and deployment) is critical to success in the digital economy and that it often accounts for skipping security gates on the way to market. But sacrificing security for speed can easily turn that success into disaster. Fortunately, there are a variety of simple steps you can take to help improve security without sacrificing speed. Here are five easy steps you should seriously consider to avoid becoming the next hashtag on Twitter.
1. Localize components
Studies agree that 80-90% of your app is comprised of third-party components. Too often these components are loaded at run-time from external sites and excluded from existing source code analysis scans. One of the ways in which the runc vulnerability could be exploited is by poisoning a container that is subsequently pulled and used in an application. The same is true for UX components loaded from third-party sources. Whenever possible, host third-party components on your own site to reduce the risk of tampering. If you think this isn't really a risk, may I suggest reading about the compromised ESLint packages discovered in 2018?
2. Scan components
Third-party components can – and do – contain vulnerabilities. If it's part of your app, it should be part of your security process. And now that you've followed step one, you can easily include scanning those components in your CI/CD pipeline. When scanning components for vulnerabilities, don't forget this important point. All code – no matter where it executes – should be scanned for potential risks.
3. Lock the door
This is a simple but effective means of deterring attackers from easily gaining control over your environment. Whether it's a web, app, database or middleware server or a container orchestration environment, do not forget to require credentials to access administrative consoles. This includes any public repositories you might be using. This isn't just important for containers that tend to grab headlines these days. Plenty of compromises are thanks to the failure to secure cloud consoles and storage buckets.
4. Hide the key
Now that you've locked the door, don't leave the key on top of the doormat. Secret management is hard when done right, but it's essential to secure applications and operations from unauthorized access. Don't hardcode credentials and other secrets (like keys and certs) into files you commit to a repository. And don't use your repository as a key management store. Again, if you need a public example of what happens when you aren't careful with your secrets, read up on the Uber breach.
5. Include APIs
APIS – even façades – takes user input. That means it falls under Security Rule Zero: Thou shalt never trust user input. Make sure you aren't using APIs to simply pass data on to internal applications or microservices. Scan and secure APIs with the same zealousness as that of your applications. For a list of high-profile breaches involving APIs, give this Forbes article a read. Now it's true that there's a lot more you can – and should – be doing to secure applications and the environments in which they are running. But many of them are rendered ineffective by failing to follow these five, simple steps. Because they span the breadth of the CI/CD pipeline, it's important to get DevOps on board and adding these steps to their security checklist.
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
