ARMO Employs eBPF to Identify Severe Kubernetes Vulnerabilities
ARMO today announced it has added a capability to its Kubernetes security platform that makes it simpler to prioritize remediation of vulnerabilities based on their relevancy.
Ben Hirschberg, ARMO CTO, says this capability takes advantage of extended Berkeley Packet Filtering (eBPF) in the Linux kernel to scan running Kubernetes pods along with the runtime environments deployed on them to discover vulnerabilities in software packages.
The goal is to make it easier for organizations that have embraced DevSecOps best practices to streamline vulnerability assessments and remediation processes that today consume significant amounts of time to triage manually, he says.
ARMO originally developed Kubescape, an open source tool for testing whether Kubernetes clusters have been deployed securely using best practices and infrastructure guidance defined by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). The core Kubescape platform retrieves the Kubernetes objects from the API server and then scans them for vulnerabilities. ARMO then extends that guidance to enable IT teams to implement cybersecurity policies using the Open Policy Agent (OPA) framework being advanced under the auspices of the Cloud Native Computing Foundation (CNCF).
As more Kubernetes clusters are deployed in production environments, IT teams are discovering that the platform, by default, is not secure. IT teams are expected to navigate a wide range of potential settings that can be easily misconfigured. The ARMO platform is intended to make it easier for IT teams to discover misconfigurations that might be exploited by cybercriminals. The greater the number of Kubernetes clusters deployed in production environments, the more likely it is that cybercriminals will target them. That can be especially problematic because the developers that provision Kubernetes clusters often have limited cybersecurity expertise with what today is one of the most complex platforms being deployed in enterprise IT environments.
Many organizations are now moving to address this issue by embracing DevSecOps best practices to reduce the number of configuration errors that might otherwise be made. Unfortunately, it takes time for developers to learn cybersecurity best practices, which means the chances a Kubernetes cluster will be misconfigured are fairly high. It’s then up to cybersecurity professionals to identify which Kubernetes clusters are prone to specific types of cyberattacks based on the severity of the vulnerabilities discovered. The ARMO platform now reduces the time required to identify which of the many vulnerabilities discovered should be addressed first, said Hirschberg.
It’s not clear whether cybersecurity concerns might be slowing the overall adoption of Kubernetes. However, in the wake of a series of high-profile software supply chain breaches, there’s more focus than ever on the underlying infrastructure being used to build and deploy applications.
It’s not clear how much Kubernetes environments are being compromised, but it’s more a matter of when than if at this point. Cybersecurity teams should assume that vulnerabilities already exist, and immediately determine which ones need to be fixed sooner than later.
