São Paulo/SP – December 8, 2022. The OWASP Kubernetes Top 10 aims to help security professionals, system administrators and developers prioritize risks in the Kubernetes ecosystem.
*By Nailton Paixão
Kubernete is a management platform designed to manage the configuration of containerized applications. The adoption of this technology has the benefit of automating application deployments and updates, speed when scaling applications in containers, in addition to being able to operate containers on different hosts, allowing the use of hardware optimally, which helps to save resources. Kubernetes adoption has been increasing, with that, security has become an increasingly priority when it comes to container security.
The OWASP Kubernetes Top 10 aims to help security professionals, system administrators and developers prioritize risks in the Kubernetes ecosystem.
Below is the TOP 10:
- K01:2022 Insecure Workload Configurations
Kubernetes is highly configurable, so there can be security misconfigurations that propagate across the organization's workloads and clusters. A survey conducted by Red Hat on found that nearly 60% of respondents experienced a misconfiguration incident in their Kubernetes environments in the last 12 months.
- K02: 2022 Supply Chain Vulnerabilities
Kubernetes can contain different supply chain phases of the development lifecycle. A single container alone can contain thousands of third-party components and dependencies, making trusting your dependencies extremely difficult. Risks range from image integrity, image composition to known software vulnerabilities.
- K03: 2022 Overly Permissive RBAC Configurations
O Role-Based Access Controll (RBAC) is a mechanism responsible for permissions on resources (get, create, delete, etc.), when properly configured, it is an extremely powerful security mechanism. However, it can quickly become a major risk for the cluster, as exploiting this vulnerability can increase the damage of an attack.
- K04: 2022 Lack of Centralized Policy Enforcement
Policy enforcement gives security teams the ability to enforce governance, compliance, and security requirements across the entire infrastructure.
- K05: 2022 Inadequate Logging and Monitoring
By having the ability to generate logs at various levels and from many different components, failures in capturing, storing and monitoring assets can occur, with this, attackers have the ability to exploit vulnerabilities without being detected. The lack of recording and monitoring also presents challenges during incident investigation and response efforts.
- K06:2022 Broken Authentication Mechanisms
Kubernetes has multiple ways to authenticate, which can be a problem when it comes to security.
- K07:2022 Missing Network Segmentation Controls
Within Kubernetes, eventually, an application will need to communicate with each other, when there are no controls limiting these communications, any application can communicate with another without restrictions. Attackers could exploit this vulnerability to gain access to other containers.
- K08: 2022 Secrets Management Failures
A Secret is an object that contains a small amount of sensitive information (passwords, tokens or keys). Using Secrets saves you from having to include sensitive data in your source code, for example. If misconfigured, they can expose sensitive data to attackers.
- K09: 2022 Misconfigured Cluster Components
Misconfigurations in core Kubernetes components can lead to complete application compromise in the container.
- K10:2022 Outdated and Vulnerable Kubernetes Components
Nowadays there are already numerous vulnerabilities in Kubernetes, keeping outdated software can generate numerous problems compromising the integrity of the entire system.
Additionally, the adoption of 24/7 monitoring services, such as SOC (Security Operations Center), and the periodic performance of PenTests with the aim of identifying weaknesses that may expose the security of systems and applications
— Nailton Paixão is Cybersecurity Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
