At Twistlock, we continue to work with enterprises and leading startups taking advantage of the benefits of running their applications on containers or serverless architecture. Developers, devops engineers, and enterprise architects are designing applications to run on containers from the ground up, as well as migrating legacy applications to containers using a lift and shift approach.
But, what about security? At Twistlock we want to provide developers and devops engineers with tools that integrate security into their current workflows, while offering security architects visibility, risk prioritization, and control across their entire cloud native environments. In fact, we want to automate as much of this as possible to save time and effort for everyone involved.
Cloud native applications and security
From day one, Twistlock has contributed to the security pillars regarding cloud native technology. For example, Twistlock had the opportunity to co-author NIST SP 800-190 Container Application Security Guide which looks at images, registry, orchestrator, container, and host OS countermeasures, as well as example threat scenarios. We also compiled a free companion guide so readers can better understand how Twistlock addresses vulnerabilities, threats, and risks for enterprises already adopting or running containers.
Recently, OWASP, the Open Web Application Security Project, updated their Top 10 Risks for Web Applications for 2017. This document explores the ten most critical risks facing web applications. In many ways, these risks mirror threats presented in the NIST SP 800-190. At the same time, I felt that recapping some of these risks, how they impact containers, and how Twistlock addresses them would be useful.
Understanding the OWASP Top 10 Risks
The 2017 Top 10 Risks list is notable because it was most recently updated in 2014. As you can guess, a lot has changed in those four years. The following sections will highlight key categories and how Twistlock aims to address security concerns around each risk.
A1 – Injection
In general, security pros are already familiar with the various forms of injection attacks that plague web applications. These attacks can include SQL and NoSQL attacks which look to run unintended commands or gain access to private information. At Twistlock, we provide automatically-deployed, layer-7 firewalls to protect your web applications — without any manual configurations of rules or processes. This provides security benefits specific to your cloud native applications.
A2 – Broken Authentication
Broken authentication includes any issues involving compromised authentication mechanisms. For example, brute force or automated attacks, weak or common admin passwords, poor credential resets, and more. To combat these issues, we recommend users ensure all authentication to the OS is audited, anomalies are monitored, and any escalation to perform privileged operations is logged. Twistlock catches and logs all sudo and sshd events on any host protected by Defender. These events are shown when someone runs commands with elevated privileges or establishes an SSH connection to a host.
In addition, Twistlock Cloud Native Application Firewall (CNAF) implements a specific OWASP recommendation: CNAF automatically limits the number of POST requests per minute, per session to prevent attackers from using brute force methods to guess passwords.
A3 – Sensitive Data Exposure
Teams should ensure that web applications are not exposing personal information to a potential attacker. Protecting sensitive data regarding containerized applications is an important pillar of the Twistlock Platform, that’s why we built Compliance Explorer to monitor and implement compliance throughout the application lifecycle. With Twistlock, you can easily implement CIS Benchmarks, as well as industry-standard compliance templates for HIPAA, PCI DSS, NIST SP 800-190, FISMA, GDPR, and internal compliance policies. We also continue to improve our runtime defense capabilities based on real-world attack scenarios discovered by our team of security researchers Twistlock Labs.
A4 – XML External Entities
Recently, Twistlock Labs security research Nitsan Bin-Nun wrote a summary about the Apache Struts vulnerability and how XML played its part in the attack. Twistlock provides a powerful, multi-layered defense against this type of attack.
Our vulnerability scanner would identify this critical vulnerability (CVE-2017-9805) at build time, giving developers the means to immediately address the issue before any image or application was deployed. If the vulnerability were unknown at build time, but it did become known while the image was in production, Twistlock policy machinery would either block further deployments or raise alerts. Finally, if these two controls were somehow circumvented, Twistlock runtime protection would detect activity outside the container’s known behavioral model, stopping the container from running or raising an alert. By looking for anomalous behavior outside of known good behavior, Twistlock can automatically identify XML attacks and prevent attackers from penetrating your environment.
A5 – Broken Access Control
Access control refers to authorized users having the appropriate access to the correct system resources as required by each user. If access control measures are not properly implemented, an attacker could access privileged information, accounts the attacker isn’t authorized to access or various forms of sensitive information.
In the Ultimate Guide to Container Security, we share that you should remember the following regarding access control:
Make sure that only containers that need access to a shared storage directory have access. In addition, make sure that no users or applications on thestorage server have access to the storage system unless they require it.
A6 – Security Misconfiguration
Security misconfiguration can easily be the biggest and most prevalent risk in the top 10 list. This category can overlap risks from category A9 – Using Components with Known Vulnerabilities.
At Twistlock, we believe that compliance management is a vital part of the application lifecycle:
- Twistlock leverages CIS Benchmarks to provide consensus-oriented security best practices for deploying containers in a production environment with checks that validate the recommendations from the Docker Benchmark and Kubernetes Benchmark.
- Twistlock ensures continuous enforcement of any enabled checks across your environment. You can set up a policy that immediately alerts you when any component in your containerized environment falls out of compliance. Twistlock Compliance Explorer presents a central dashboard that auditors can use to get quick look at their current compliance state.
- Both the Docker Benchmark and Kubernetes Benchmark provide over 200 compliance checks. To streamline the deployment of a sound compliance policy, we’ve graded each check using a system with four possible scores: Critical, High, Medium, and Low. By default, we’ve enabled all Critical and High checks, and disabled all Medium and Low checks. By addressing all Critical and High checks, you can be reasonably certain that your containerized environment is secure. At any time, you can customize these policies based on your own requirements.
A7 – Cross Site Scripting (XSS)
Cross site scripting is another common attack scenario where an attacker looks to execute scripts in a victim’s browser that can hijack sessions, deface web sites, and more. XSS is an attack against your input validation system.
Twistlock product manager Ian Da Silva offered this as a summary:
Engineers are faced with the challenge of validating input, but there are no formal axioms that they can look to for implementation guidance. As a result, most input validation systems are largely ad-hoc and based on regular expressions (regex). Input validation systems built on regex are like swiss cheese.
For any given regex, attackers aim to craft an attack string that works around it, which means the input validation system is going to have lots of false positives or false negatives. If you code your regex too tight, it will become a problem for usability; but if you code your regex too loose, it will become a problem for the security of your system because a significant number of attack strings could get through.
Tokenizing the input can reliably breakdown the input and reassemble it into a grammar that can be more easily examined for unsafe things. By using machine learning, our automatically-deployed Cloud Native Application Firewall (CNAF) automatically converts all requests into a stream of tokens, and then searches for matching fingerprints of known attack patterns to prevent attacks like XSS. CNAF thus reinforces your already-existing input validation system. Developer education still has a long way to go on input validation, and legacy applications that are lifted and shifted to containers are in dire need of protection by tools like Twistlock.
A8 – Insecure Deserialization
Insecure deserialization refers to risk presented by an application or API deserializing hostile or tampered objects supplied by an attacker. Fore example, Twistlock security researcher Daniel Shapira explained in detail the Jenkins Java Deserialization vulnerability and how it could lead to remote code execution. Twistlock Runtime Defense plays a vital part in preventing these types of attacks. Again, by creating a whitelist of known good behavior, Twistlock would automatically alert on or block this unintended behavior based on your configuration.
A9 – Using Components with Known Vulnerabilities
Vulnerable code is a risk known throughout the enterprise these days. Ponemon’s State of Application Security Report paints a clear picture of risk from application vulnerabilities. Security teams have a challenge not only in identifying vulnerable code, but working with developers to quickly fix issues. Identification of issues, prioritization of fixes, and quickness in remediating issues can easily becomes complex.
Comprehensive vulnerability management is a foundational pillar of the Twistlock Platform. Developers and devops teams should ensure they are using trusted images as they build their applications, scanning images for known vulnerabilities and compliance issues, and continuously monitoring their running applications for new security issues to resolve them in a timely manner. We want to make that as easy and efficient as possible.
One of our biggest differentiators when identifying known vulnerabilities comes with the Twistlock Intelligence Stream. By sourcing and cross-referencing vulnerability information directly from 30+ upstream projects, commercial sources, and proprietary research from Twistlock Labs, Twistlock users are better able to identify the highest levels of risk that could be present in their applications — all while reducing false positives.
A10 – Insufficient Logging and Monitoring
When breaches do occur, in-depth monitoring and a timely response can significantly limit damage performed by an attacker. Attackers benefit from risk presented by insufficient logging or monitoring. Twistlock provides a comprehensive framework for capturing and recording audit event records for activity in your container environment, including runtime events, access events, firewall events, scan events, and more. Twistlock also captures and records all events for local admin activity, including logins and changes to policies.
These events are stored in our database and can be retrieved via API. In many cases users, configure Twistlock to send all audits to syslog to be ingested and processed by your SIEM tools.
This foundation of comprehensive auditing led us to build Twistlock Incident Explorer. Incident Explorer takes all this raw audit data to find the proverbial needle in a haystack in the form of actionable security intelligence. By automatically correlating individual events generated by our the various sensors, Twistlock can show security architects unfolding attacks, so they can respond better than ever before.
Additional security resources in addition to OWASP
The list of OWASP Top 10 Risks is certainly an important guide when focusing on securing applications throughout the software development lifecycle. At the same time, I highly recommend the NIST SP 800-190 Companion Guide that our team put together to better understand container-specific threats and countermeasures.
If you are interested in learning how a Twistlock customer benefited from deploying Twistlock alongside a containerized application after migrating it, check out the Twistlock Guide to Modernizing Traditional Security.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Safer Software with Twistlock and Google’s Binary Authorization for GKERead the Blog
Announcing Our Series C FundingRead the Blog
Real Time View of Your Cloud Native Applications: Radar v3Read the Blog
AWS Fargate Security: Runtime Defense with Twistlock 2.5Read the Blog
Cloud Native Forensics: Security Incident Response in Twistlock 2.5Read the Blog