The discovery of a significant container-based (runc) exploit sent shudders across the Internet. Exploitation of CVE-2019-5736 can be achieved with “minimal user interaction”; it subsequently allows attackers to gain root-level code execution on the host.
Scary, to be sure. Scarier, however, is that the minimal user interaction was made easier by failure to follow a single, simple rule: lock the door. Studies have shown an increasing number of publicly accessible, containerized environments that require no credentials. That means anyone — maybe you, maybe me — could gain control and deploy the appropriate malicious container required to gain root-level access.
We know that speed (of delivery and deployment) is critical to success in the digital economy and that it often accounts for skipping security gates on the way to market. But sacrificing security for speed can easily turn that success into disaster.
Fortunately, there are a variety of simple steps you can take to help improve security without sacrificing speed. Here are five easy steps you should seriously consider to avoid becoming the next hashtag on Twitter.
Studies agree that 80-90% of your app is comprised of third-party components. Too often these components are loaded at run-time from external sites and excluded from existing source code analysis scans. One of the ways in which the runc vulnerability could be exploited is by poisoning a container that is subsequently pulled and used in an application. The same is true for UX components loaded from third-party sources. Whenever possible, host third-party components on your own site to reduce the risk of tampering. If you think this isn’t really a risk, may I suggest reading about the compromised ESLint packages discovered in 2018?
Third-party components can — and do — contain vulnerabilities. If it’s part of your app, it should (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/devops/devops-security-checklist/