When people hear the words “open-source project,” the image that often springs to mind is a very technical group of people writing complex code. But the truth is that open-source projects are a lot more than lines of code. One of the best ways to see the power of the open-source community in action is actually through its educational resources for developers.
While I do work on CyberArk Conjur Open Source as a software engineer as my day job (and yes, code), I’m also a member of the Cloud Native Computing Foundation (CNCF) Technical Advisory Group (TAG) focused on security, working on developing these types of resources for those working in cloud-native environments. CNCF has several TAG groups, but TAG Security is specifically focused on enabling developers by publishing best practices resources and creating assessment tools for developers to check the security posture of their projects.
One of the reasons I got involved with CNCF was because I love being a part of the open-source community, collaborating with volunteers of varied backgrounds and expertise to help developers work more securely. Their whitepapers and other tools are created with that community mindset, with multiple contributors and reviewers and constantly evolving versions that take into account new security insights and best practices.
While the TAG Security group has numerous resources and tools for developers (and you should definitely go check those out), I recently gave a talk on the key best practices resources developed by the group for anyone working in cloud-native app development. These whitepapers have some great takeaways on how to enhance the security posture of cloud-native development projects. Let’s dive in.
Cloud Native Security Whitepaper: Integrating Security Practices With Development
The Cloud Native Security Whitepaper is the flagship resource from the TAG Security group. Already on its second iteration (with the third in the works), this whitepaper delves into the complex world of cloud-native development. With the rapid pace of development and deployment in the cloud and the erosion of the traditional security perimeter, security vulnerabilities can quickly spring up if project owners are not diligent. To combat this issue, the authors of the whitepaper encourage closer integration of security practices with developer workflows. This is also known as “shift left,” where security is brought in early to the development lifecycle, rather than coming in at the end and potentially slowing down deployment.
The whitepaper covers each distinct phase of the application lifecycle: Develop, Distribute, Deploy and Runtime. Instead of traditional security approaches where security comes at the end of the development lifecycle, security for cloud-native development should be included in each of these phases. Below is a high-level list of security recommendations for each phase.
“Security testing needs to identify compliance violations and misconfigurations early to create short and actionable feedback cycles for continuous improvement…The modern security lifecycle for this model revolves around the development of code that adheres to recommended design patterns and ensures the integrity of the development environment.”
In the Develop stage, the authors recommend that DevOps teams leverage purpose-built tools to uncover potential misconfigurations and vulnerabilities hiding in application code, such as hard-coded secrets. One potential vulnerability to check is if any environment variables have hard-coded secrets that could be exposed by an attacker.
“Cloud-native application lifecycles need to include methods for verifying not only the integrity of the workload itself, but also the process for workload creation and means of operation… Artifacts (e.g., container images) present in the lifecycle pipeline require continual automated scanning and updates to ensure safety from vulnerabilities, malware, insecure coding practices, and other malfeasance.”
In the Distribute phase, teams are encouraged to secure CI/CD pipeline tools, scan container images in platforms like Kubernetes and perform robust tests prior to deployment.
“Deploy time checks provide the last chance to validate, correct, enforce these checks before the workload starts running to serve its intended business needs. Secure workload observability capabilities, deployed alongside the workload, allow for logs and available metrics to be monitored with a high level of trust, complementing integrated security.”
“Pre-flight” security checks should be incorporated into the development workflow prior to deployment to ensure no vulnerabilities were missed and that security regulations have been complied with.
“The cloud-native runtime environment can itself be broken down into layers of interrelated components with distinct security concerns… Best practices to secure this interrelated component architecture involves ensuring that only sanctioned processes operate within a container namespace, prevention, and alerting of unauthorized resource access attempts, and network traffic monitoring to detect hostile intruder activity.”
Security should be heavily involved in ensuring the integrity of each of the three critical areas of runtime: compute, access and storage. Encrypting secrets and analyzing audit logs for any compromises are just some of the ways security can help at this stage. Additionally, access to applications and workloads should be managed under the policy of least privilege to limit the reach of any potential breach.
The Four Principles of Software Supply Chain Security
Another topic at the top of everyone’s mind in the cloud-native space is software supply chain security. With high-profile breaches like CircleCI and the 2022 Uber attack demonstrating how far-reaching such an attack can be, shoring up the security of the software supply chain is high on the executive priority list these days. The authors of the Software Supply Chain Security whitepaper recommend a holistic approach of layered defense-in-depth strategies to best protect against such breaches. Here were some of their top recommendations:
- Every step in the software supply chain should operate under the “trust but verify” principle, with trust relationships explicitly defined and not assumed.
- Automating as much as possible within the supply chain can reduce the risk of human error and strengthen security.
- Build environments should be clearly defined, and both human and non-human identities operating in the build environment should have only the permissions they need under the principle of “least privilege.”
- All entities within the supply chain should use hardened authentication with regular key rotations.
Secure Defaults: Secure by Design
The final whitepaper I’d like to cover, Secure Defaults: Cloud Native 8, emphasizes the importance of building security into cloud-native systems so that they are secure by design. The “Cloud Native 8” recommendations are as follows:
1. Make security a design requirement.
2. Applying secure configuration has the best user experience.
3. Selecting insecure configuration is a conscious decision.
4. Transition from insecure to secure state is possible.
5. Secure defaults are inherited.
6. Exception lists have first-class support.
7. Secure defaults protect against pervasive vulnerability exploits.
8. Security limitations of a system are explainable.
Organizations like the CNCF are a great resource for any developer working with open-source software. The main message to take away from all of these whitepapers, as well as the other resources developed by TAG Security, is that integrating security into cloud-native development can pay dividends when it comes to strengthening your security posture and reducing the risk of attacks.
One of the biggest areas where security can help in the development lifecycle is by managing and securing secrets used throughout the development pipeline. That’s where CyberArk Conjur Secrets Manager can help, by centralizing secrets management so that your security teams have a single pane of glass to manage, rotate and audit secrets across your different development tools and environments. Check out our interactive Kubernetes security tutorial or our tutorial on securing CI/CD pipelines to see how Conjur can help you stay aligned with these cloud-native security best practices.
Shlomo is a senior software engineer at CyberArk working on Conjur Secrets Manager. He’s an open source and AppSec enthusiast, a member of the CNCF TAG Security and a contributor to multiple OWASP projects. In his free time, you can find him spending time with his wife and daughter, 3D printing, woodworking or hiking.