Securing Modern Applications - Industry Guide

Introduction to Modern Applications

Overview

At VMware, we define a modern application as a resilient, multi-cloud supportive software service composed of orchestrated releases of virtual machines, containers, and serverless functions. Modern applications take advantage of advances in infrastructure architecture, like containers and microservices.

Modern Application Terms to Know:

Image: An image is a static, immutable file that includes executable code so it can run an isolated process on IT infrastructure. The image shares the OS kernel of its host machine.
Container: A running image. Container creation adds a writable layer on top of the immutable image.
Kubernetes: The standard way to manage and orchestrate these containers at scale.
Pod: A Pod holds one or more container(s). Pods are ephemeral by nature, if a pod (or the node it executes on) fails, Kubernetes can automatically create a new replica of that pod to continue operations.
Cluster: A cluster is a series of nodes connected together which run the containerized applications being managed by Kubernetes.
Microservices: Architecture for an application that lets developers make changes without a full deployment. These are built independently from one another and can fail independently without a full outage.
Service Mesh: How different parts of an application share data with one another.

Advantages of Modernization

So, why are enterprises moving so rapidly to adopt containers and cloud-native patterns? In simplest terms, it is because they can go from dev to production faster and continuously. It is how they deliver new revenue-generating applications more often and quickly resolve security vulnerabilities. It is how they hyper-focus on the customer experience and can be most competitive.

Given a majority of apps will be containerized and running in production on multi-cloud infrastructure in just a few years, our organizations must be ready to operationalize containers and Kubernetes — starting now.

Organizations are modernizing their technology for many reasons, including:

Business agility – Unlike its legacy counterpart, modern application infrastructure is easy to update and deploy changes quickly.
Scalability – The nature of containers allows you to quickly add new ones or take away depending on your business needs.
Innovative – Modern applications enable you to take advantage of the innovations offered by the cloud and create better experiences for customers.
Security – Like VMs, containers allow you to create an isolated environment for your applications.
Flexibility – Modern applications do not tie DevOps professionals down – they can run them from the cloud/on-prem/hybrid

Embracing DevSecOps

While there are many advantages to the modernization of application technology, securing modern apps requires unique knowledge, tools, and processes for optimal security. By putting security earlier in the development lifecycle, organizations can detect errors earlier in the application development cycle and prevent supply chain attacks.

As teams start to adopt containers and cloud-native practices, the developer experience becomes vital to ensuring apps are continuously delivered to the platform in a fast and compliant way. For example, today teams may use manual workflows to build container images from source code, which can consume many hours per week (which only gets worse as container use grows).

Containers introduce new security concerns. Cloud-native apps reuse open-source container images. Now, developers, operators, and security folks must ensure that artifacts and dependencies in their applications do not contain known vulnerabilities. Plus, the large number of containers and their network of connections to other resources increase the attack surface.

Running and managing containers across clusters and clouds is complex. How do you ensure the right access to the right environments for hundreds of development teams? How do you effectively manage traffic routing and resiliency for apps across clouds? How do you manage the health and performance of Kubernetes clusters everywhere? Teams face complexity when running containers at scale in areas like policy management, monitoring, and networking.

Organizations often make the decision to modernize due to the customer-oriented benefits, but in the migration fail to strategize on effective security strategies. Much like in the transformation to virtual machines; organizations assume that if containers are in their essence more contained then security is not the primary concern.

On top of addressing these concerns, organizations face the cultural change of adopting a DevSecOps mindset for working better together. More than ever before, security responsibility has shifted in the hands of the people implementing the technology, not just those enforcing the policies and compliance.

DevOps is a culture, movement, or practice that emphasizes the collaboration and communication of both software developers and other IT professionals while automating the process of software delivery and infrastructure changes. DevOps typically builds on Agile development principles and methodologies and is the biggest trend impacting both the applications and operations landscape. To be agile and fast, companies not only need to invest in technologies but also processes that foster cross-functional collaboration.

Analyst Perspectives

According to Gartner® ¹, “Organizations are adopting more cloud-native services at a higher rate of deployment velocity and many mature development teams are deploying multiple times a day. Platform as a service (PaaS) that aligns with cloud-native consumption is growing at 25.6% compound annual growth rate (CAGR).” Containers and Kubernetes have become synonymous with the modern apps transformation as organizations increasingly adopt hybrid, multi-cloud architectures and break down legacy monolithic applications into distributed microservices. However, this transformation brings new development paradigms that have significant security implications. The container attack surface has grown in orders of magnitude relative to virtualized applications; providing many more points of entry for attackers, who have already taken notice of the paradigm shift and new software ecosystem. According to Gartner 2, the cloud workload protection platform market, which includes containerized workloads, is expected to grow from an estimated $2 billion in 2020 to $6.65 billion in the next 3 years due to accelerated cloud and modern apps adoption.

In fact, Gartner 3 predicts that by 2025, 85% of organizations will run containers in production, up from less than 30% in 2020. Not only are containers themselves growing rapidly, but their average lifetime is also less than five mins. And that means many more points of entry for attackers.

To keep up with the growing demands and experiences of their customers, most organizations are modernizing and planning a cloud-first strategy. This cloud-first strategy must include security to be successful. In fact, Forrester 4 reports that almost 92% of development teams’ day-to-day work is impacted by cloud security decisions. However, over half of those respondents noted that securing workloads and containers was one of their topmost challenging tasks.

With the rise in the use of containerized applications, it is no surprise that attackers are following suit. According to the Modern Bank Heist Report 5.0 5, “58 percent witnessed an increase in application attacks in 2021.”

Image Source: 2021 Gartner Innovation Insight for Cloud-Native Application Protection Platforms

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

¹ Gartner | “Emerging Technologies: Future of Cloud-Native Security Operations,” Published 17 November 2021

2 Gartner | “Forecast Analysis: Cloud Workload Protection Platforms, Worldwide,” Published December 2021

3 Gartner | Emerging Technologies: Kubernetes and the Battle for Cloud-Native Infrastructure,” Published October 2021

4 Forrester | “Bridging the Developer and Security Divide,” Published September 2021

5VMware | Modern Bank Heist Report

Risk

The use of containerized microservices has caused the attack surface to grow tremendously compared to virtualized applications.

Not only is the use of containers themselves growing rapidly, but their average lifetime is also less than five minutes. New containers are being spun up constantly by development teams and new releases are happening all the time. Because of the ephemeral nature of containers, there are many points of entry for attackers.

Additionally, the use of public image registries has become commonplace, and many projects use third-party sourced components. Realizing this, attackers have started attacking these open-source projects and inserting malicious code early in the software supply chain to maximize their reach and take advantage of this trend.

Because attackers are taking advantage of these additional entry points, organizations must secure both the container layer and the Kubernetes layer.

Common Container Exploitation Methods

The goal of the adversary in most cases is to gain access to sensitive data, or some sort of financial gain from the attack. More frequently, we are seeing attackers install crypto-mining technology on containers for their financial gain.

Some of the most common types of attacks we see when it comes to containers are:

Exploiting a known vulnerability/container image vulnerabilities
Abusing misconfigurations / broken access controls in docker / k8s / cloud
Malware in images
Privilege escalation
Software supply-chain compromise (ex: a compromise of a private docker registry)
API attacks like Island Hopping and Watering Hole Attacks

It is also important to mention that any web application that is deployed with container technologies is still susceptible to web application risks such as the OWASP TOP 10 that is not specific to container behavior.

Kubernetes CVEs

Attackers are taking advantage of the use of Kubernetes as a new attack surface. As Kubernetes usage becomes more commonplace, we have seen more critical CVEs in applications built on distributed and cloud-native architecture. Here are some examples of well-known attacks that have had a widespread impact on organizations across industries.

SolarWinds: Supply chain risks are becoming a primary concern for all organizations developing software. Software and container images need to be scanned for vulnerability, signed, verified and stored securely.
Log4j: Log4j is a great example of a vulnerability that organizations are facing. When a new CVE is published, you need to be able to quickly determine where in your environment you are using which packages and which version to be able to remediate the vulnerability quickly.

Types of Risks

There are many different ways to think about risks when it comes to application architecture. The National Institute of Standards and Technology (NIST) breaks these risks into several key categories.

Host OS Risks
Orchestrator Risks
Image Risks
Registry Risks
Container Risks
API Threats (OWASP gives additional guidance on the Top 10 API threats)

As you build your security strategy, it is important to consider each of these types of risks and how mitigating this risk might look in your environment.

Challenges

Security teams want to enforce compliance and take control of Kubernetes security without slowing down innovation from development teams. With the number of alerts and vulnerabilities security teams receive daily, prioritization and management of resources become extremely challenging. They need visibility into their Kubernetes environments to even be able to accurately assess and manage their risk. In many cases, their existing tools are insufficient – making this an impossible task. They need tools that span the entire security lifecycle and embed security into existing practices within the organization.

On the other hand, development teams are coding, building, and deploying containers at such a rapid pace that security sometimes becomes an afterthought. There is a great need for security to “shift left” and to be embedded at the coding stage of the application lifecycle.

This cultural shift to DevSecOps can sometimes be the most challenging part of modern app security. Security teams are tasked with bringing other teams into the fold that they normally do not work with and that are not typically involved in the security processes. Development teams are learning the ropes of security and compliance and how their work can greatly impact security posture and management. Not only do these teams need to work together toward the common goal of security, but they need to get along and ensure that the right practices are in place to reduce friction between the two teams.

It takes substantial resources to ensure that an organization’s security posture meets the appropriate standards. Security and DevOps teams have multiple priorities and are constantly being pulled in many different directions. Adversaries are persistent. The smallest human error, misconfiguration, or vulnerability can be an open door for them to make their way further into your application environment. From the smaller script kitties to larger threat actors, they use every resource at their disposal to exploit an environment.

Developing a Security Strategy

Key Considerations

When choosing a container security vendor, you want to make sure that this vendor fits into your long-term strategy. You need a vendor that can grow and scale as you grow. Here are some key considerations to consider when evaluating these vendors.

Secure applications both in the CI/CD pipeline and in production.
They take a layered approach.
Automation is at the forefront; they provide an API and offer integrations.
They should provide an API gateway and API security
They easily fit in with your existing technology.
They are Modern Apps experts and Security experts

Questions to Ask

Developing the right strategy for securing modern applications requires a thoughtful approach. You want to ensure that everyone is on board, otherwise, the change process will potentially cause conflict between and among teams. Here are some questions you should be asking as you develop this strategy:

What is our timeline? How can we implement a phased approach?
How will we communicate this change to the development, security, and IT operations team?
Do we have the right talent and resources to make this possible? What gaps exist and how should we solve those gaps?
What ways and metrics will be used to tell if our security practices are successful?
What security challenges should we anticipate?
What are the most common threats to container security? What threats are less common but could be more detrimental to our environment?
What compliance and regulatory guidelines do we need to be mindful of as we build this strategy?

Evaluation Guidance

To help mitigate this risk, here are some examples of success criteria to consider as a part of this strategy.

How to best evaluate for a Modern Apps security solution, it should:

Design architecture

Can it consolidate telemetry data across clouds, workloads, networks, and endpoints?
Does it support every Kubernetes implementation?
Can it enable Security to Shift Left: Integrations with CI/CD pipeline, CLI interface for developers to be able to scan for vulnerabilities and check compliance with your security policies.
Does it ensure no disruption to applications: the ability to audit prior to enforcement, build exceptions, limit CPU / mem/storage impact for your modern Apps security solution on-prem and in the cloud.
Does it improve the visibility needed by SOC team, without overwhelming the security team with the volume of threat alerts

Operational model

Agents, Sensors, Operators, Containers, and VMs required to install on each cloud, K8s cluster
Can IT Ops, DevOps, and SecOps leverage the same dataset when monitoring and responding to incidents?
Which governance frameworks does your platform support (e.g., CIS benchmark 1.6)?
How would a typical workflow operate among IT Ops, DevOps and SecOps once a threat, vulnerability, or misconfiguration has been identified?
Can it monitor service-to-service communications?
Does it reduce your MTTR (Mean Time To Resolution)?
Does it increase the operational confidence of your security team?

Scalability

What is the average CPU consumption per cloud workload protection agent?
How many consoles do you need for applying consistent security policies to endpoints, workloads, containers, and networks.?
Can the container protection platform enforce and report on a standardized consistent security policy across private, public, and hybrid cloud environments?
How does it conduct regular vulnerability scanning without impacting availability and performance?
Does it provide authentication, authorization, encryption, and policy controls to protect service-to-service connections?
Can it improve the communication between Dev Sec and Ops?

Summary and Additional Resources

Summary

In summary, modern applications require modern a modern solution for security. While containers, Kubernetes, and cloud-native technologies pose their own unique security risks, they also present an opportunity for Development, IT, and Security to come together to embed security throughout the entire application lifecycle. When planning your container adoption strategy, security and the developer experience need to be top of mind throughout the process. Ensure that your tools, people, and processes are set up to properly detect, evaluate, and mitigate risk to bring effective security practices to your organization.

Additional Resources

Changelog

The following updates were made to this guide:

Date	Description of Changes
4/11/2022	Guide was published.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Carbon Black Technical Marketing techzone-sbu@vmware.com.