Skip to main content

Security Scanning Tools for Cloud Native Software

This document will describe the changing process model for security scanning and provide a brief survey of security scanning technologies under evaluation.  

Purpose of Security Scanning

Security scanning is a specialized kind of testing that attempts to identify potential software bugs that could make a deployed application vulnerable to attack and compromise.  As with any testing, the tests can be manual or automatic, and they wan be performed at various points in the development cycle.   We can classify security scanning into three categories:

  1. Static Scanning - performed against source code / configuration data a static scan looks for common logic errors that might lead to system compromise.  Also referred to as Static Application Security Testing (SAST)
  2. Dynamic Scanning - Performed against a running system, a dynamic scan looks for vulnerable software / configurations that might lead to system compromise. Also referred to as Dynamic Application Security Testing (DAST)
  3. Security Monitoring - Deployed as a part of the system, a security monitor continuously evaluates the security status relative to a set of rules or policies and reports anomalies.  Best chance to detect and protect against zero-day exploits.

Static and Dynamic scanning are typically integrated into the development process;  security monitoring is delivered as a feature component of the system.

Static Scanning Technology Overview

Name
Target
Type
Detects
Policy Configuration
Notes
FortifySource code (including C++, PHP, Java)Compliance / VulnerabilityExploitable Coding DefectsUser-Defined PoliciesMostly manual execution; CI pipeline automation started in 5G NF 1.3. Cloud Lab provides Pipeline Integration: Fortify Tooling User Guide#gitlabci - Some NFs have started to use this.
McAfee Anti-MalwareDocker ImagesComplianceMalware
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OWASP Dependency CheckerSource Code (Typically Java)VulnerabilityKnown Vulnerabilities (CVEs) in 3rd Party packages (typically Java)
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OCSC 3rd PartyDocker ContainersCompliance / Vulnerably

Oracle Open Source Policy Compliance; 3rd Party SW vulnerabilities (CVEs).


Some overlap with OWASP dependency checker - also verifies 3rd party approval status for all components used in build. 

Anchore -EngineDocker Containers: Base OS, Java, JS, Python packagesVulnerabilityKnown Vulnerabilities (CVEs) in Container OSUser-Defined Policies; whitelist/blacklist

Integrated in the OCCNE deployment pipeline in 1.2. 

Dynamic Scanning Technology Overview

Name
Target
Type
Detects
Notes
RESTfuzzRESTful APIVulnerabilityUnexpected responses from unexpected inputsAn Oracle Tool - Integration begin in 5G NF 1.3 pipelines. See RESTfuzz Scanning Guidelines.
OCCNE CipherScanTLS PortsCompliance / VulnerabilityOSSA TLS Compliance

An Oracle Tool - plan to start using in 5G NF 1.1 as TLS is introduced 

nmapK8s EnvironmentPorts Scanner / Penetration TestingIdentifies open ports

Used to identify open ports. This scan is being added as a part of  to identify TLS ports for cipherscanning. (Story target: OCCNE 1.4)

OpenscapLocal OSCompliance / VulnerabilityCIS-inspired Verification; Base OS (and lots more)Automated execution via CI pipeline in OC-CNE 1.1.
OL 7 CIS BenchmarkLocal OSComplianceCIS Verification; Base OS

Automated execution vi CI pipeline planned. 

docker-bench-securityDocker EnvironmentComplianceInsecure Docker configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-benchK8s EnvironmentComplianceInsecure K8s configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-hunterK8s EnvironmentPen TestAutomated Penetration TestingTo be evaluated
kube-scan
Workload Security AssessmentComplianceScores workload for questionable configurations

To be evaluated

webinspectOAM GUIsVulnerabilityUnexpected responses from unexpected inputsWe need to run this against out CNCC offering

Monitoring Technology Overview

Name
Target
Detects
Notes
Pod Security PoliciesK8s EnvironmentNon-conformant podsPod security Policies look for pods that don't match a configured security policy and refuses to run them.
FalcoK8S EnvironmentSecurity Anomalies

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

SysdigK8S EnvironmentSystem Call Tracing

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

NeuVectorK8S EnvironmentSecurity Anomalies
StackRoxK8s EnvironmentSecurity AnomaliesAdds machine learning to standard set of run-time checks.
StarboardK8s EnvironmentKubectl integration of security toolingAdds ability to integrate 3rd party security tools (compliance, vulnerabilities, etc) into the kubectl API.


Comments

Post a Comment

Popular posts from this blog

Supporting OpenTracing jaeger in spring boot applications

This page describes code changes in a typical spring-boot based application to support OpenTracing and jaeger. Instrumenting a tracer If you are creating a simple spring boot application that uses  spring-boot-starter-web , by default, the application does not support writing traces to jaeger. To support jaeger tracing, the first thing is to modify the build.gradle to add dependency of jaeger: dependencies {      implementation  'org.springframework.boot:spring-boot-starter-web'      implementation  'io.opentracing.contrib:opentracing-spring-web-starter:3.0.1'      // support opentracing jaeger      implementation  'io.opentracing.contrib:opentracing-spring-jaeger-starter:3.1.2'      testImplementation( 'org.springframework.boot:spring-boot-starter-test' ) {          exclude group:  'org.junit.vintage' , module:  'junit...
Post a Comment
Read more

HOWTO on implementing scanning into a CI Pipeline

Introduction As a part of the Software Security Assurance guidelines, we are required to perform various types of security scanning.  Security scanning is a specialized kind of testing that attempts to identify potential software bugs that could make a deployed application vulnerable to attack and compromise.  As with any testing, the tests can be manual or automatic, and they wan be performed at various points in the development cycle.   We can classify security scanning into three general categories: Static Application Security Testing (SAST)   - performed against source code / configuration data a static scan looks for common logic errors that might lead to system compromise. Dy namic Application Security Testing  (DAST)  - Performed against a running system, a dynamic scan looks for vulnerable software / configurations that might lead to system compromise. Security Monitoring  - Deployed as a part of the system, a security monitor co...
Post a Comment
Read more

CIS Benchmark Kubernetes - PodSecurityPolicies

CIS Benchmark Kubernetes - PSP The  CIS  document provides prescriptive guidance for establishing a secure configuration posture for Kubernetes. The Pod Security Policies (PSP) enable fine-grained authorization of pod creation and updates.  In this article, we'll review the CIS benchmark items for  Pod Security Policies  and provide implementation details on how to enforce them on Kubernetes cluster. Let us first review the CIS benchmark guidance for Pod Security Policies.  CIS Benchmark Overview The following items are checked for this benchmark item: 1.7 PodSecurityPolicies 1.7.1 Do not admit privileged containers  1.7.2 Do not admit containers wishing to share the host process ID namespace  1.7.3 Do not admit containers wishing to share the host IPC namespace  1.7.4 Do not admit containers wishing to share the host network namespace  1.7.5 Do not admit containers with allowPrivilegeEscalation  1.7.6 Do not admit root containers...
Post a Comment
Read more