Cloud Native Security

The information here addresses cloud native security and includes recommendations for securing your cloud native implementation.

Build Pipeline

Continuous Integration (CI) servers should be isolated and restricted to projects of a similar security classification or sensitivity. Infrastructure builds that require elevated privileges should run on separate, dedicated CI servers. Build policies should be enforced in the CI pipeline and by the orchestrator’s admission controllers.

Image Hardening

Container images are hardened based on industry best practice guidelines. All images are also assessed against the Center for Internet Security (CIS) benchmarks.

Image Scanning

Scanning container images is a critical component of securing container applications throughout the life cycle. It is important to do the scanning in the CI pipeline before deploying the image to production. Incorporating this capability ensures that all the relevant teams have detailed information about all known vulnerabilities and details such as the severity, the Common Vulnerability Scoring System (CVSS) score, and availability of mitigation and fixes.

MATRIXX performs image scanning on a daily basis as part of its vulnerability management program. All discovered issues are analyzed, priority determined and added to the vulnerability register. They are then addressed based on the severity of the issue.

MATRIXX also monitors all images for embedded malware. The monitoring processes include the use of malware signature sets and behavioral detection heuristics based on real attacks.

Testing

Cloud native applications are subjected to the same suite and standard of quality testing as traditional applications. These include the concepts of:
  • Clean code.
  • Application security scanning and linting through static application security testing (SAST).
  • Dependency analysis and scanning.
  • Dynamic application security testing (DAST).
  • Application instrumentation.
  • Full infrastructure with tests available to developers in local work flows.

Automated test results are reported for real-time security assurance to security and compliance teams.

Hardening of infrastructure and workloads is supported by comprehensive test suites, which allows for incremental hardening as the system matures. Tests to verify hardening has occurred are conducted during the build and are executed at deployment to evaluate any changes or regression that might have occurred throughout the life cycle.

Static Analysis and Security Testing

Static analysis covers linting, identifying misconfiguration, and vulnerability scanning. The cloud native build pipeline has the same pipeline policy controls as application workloads. Any exposed attack vectors in the configurations are addressed during this process.

Dynamic Analysis

Dynamic analysis of application and infrastructure might include detecting role-based access control (RBAC) and other configuration drift. Dynamic analysis is considered to be a part of testing; however, it is performed in a non-production runtime environment.

Security Tests

MATRIXX conducts automated security testing of applications and infrastructure. Test suites are continuously updated to replicate threats aligned with the organizational threat model and can be reused for security regression testing as the system evolves. Automated security testing demonstrates control efficacy on demand by explicitly attempting to perform threats, which improves security and adherence to any embedded compliance requirements in real-time.