The Two Projects Allow DevSecOps Teams to Identify, Understand, and Remediate Kubernetes Misconfigurations to Protect Against Cloud Native Security Vulnerabilities
SUNNYVALE, CA—January 22, 2020—Octarine, a continuous Kubernetes security company that simplifies DevSecOps, today announced the release of two new open source projects: the Kubernetes Common Configuration Scoring System (KCCSS), a new framework for rating security risks associated with misconfigurations, and kube-scan, a workload and assessment tool that scans Kubernetes configurations and settings to identify and rank potential vulnerabilities in applications within minutes.
Kubernetes puts more than 30 security settings under the control of development teams who often have limited security expertise, making it easy for applications to inadvertently end up with misconfigurations and associated vulnerabilities such as privilege escalations. KCCSS and kube-scan both leverage the CIS Compliance Benchmarks for Docker and Kubernetes 1.6 and 1.7 and will be maintained to support all future versions.
The Kubernetes Common Configuration Scoring System
KCCSS is similar to the Common Vulnerability Scoring System (CVSS), the industry-standard for rating vulnerabilities, but instead focuses on the configurations and security settings themselves. Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules and allows users to calculate risk for every runtime setting from 0 to 10, with 10 being the most at risk, then calculates the global risk of the workloads overall.
kube-scan: Configuration Risk Assessment and Reporting
kube-scan is a free and open security assessment tool based on KCCSS that analyzes more than 30 security settings and configurations such privilege levels, capabilities, and Kubernetes policies to establish a risk baseline. kube-scan identifies which workloads are most at risk, specifies why and what the potential consequences are, and helps prioritize remediation with updates to Pod Security Policy, Pod definitions, and manifest files. kube-scan runs as a pod but does not allow ingress or egress access. It is safe to run in any environment and can be deleted after the risk score page is accessed.
“Our mission is to make the adoption of DevSecOps best practices simple, understandable, and achievable for any organization running Kubernetes,” says Julien Sobrier, Head of Product at Octarine. “One glaring blindspot is at the configuration level when building and deploying cloud native apps. We hope these two new projects benefit the Kubernetes practitioners industry-wide and look forward to collaborating with the community to make Kubernetes as secure and compliant as possible.”
“In the near future distributed cloud will be the new normal in enterprise computing,” says Thomas Fricke, partner, founder and former CTO of Endocode, “And in this new paradigm, security hardening starts with the development teams at the configuration and code level. When we talk about shifting security left, it is the Kubernetes configurations and security settings that need to be addressed from the very beginning. KCCSS and kube-scan will help ensure that configurations are made properly so organizations aren’t surprised with unwanted privilege access or other vulnerabilities after it’s too late.”
KCCSS is licensed under the MIT License. To review the repository and learn more visit Github. To download kube-scan to get an instant risk profile of your Kubernetes clusters visit its repository on Github here.
Octarine is a full lifecycle security platform for Kubernetes that simplifies the adoption of DevSecOps best practices and ensures that cloud native environments are secure and compliant. Octarine infuses security into CI/CD workflows with Guardrails, CIS-benchmark compliance policy templates that keep code and configurations safe without getting in development’s way, as well as a secure runtime proxy layer to protect against threats in network traffic communications. Founded in 2017 and based in Sunnyvale, CA, Octarine has raised $9M from Accel Partners, Battery Ventures, Liberty Technology Venture Capital, and Sorenson Capital. Learn more about Octarine at www.octarinesec.com.