Last week, CNCF participated at RSA Conference in San Francisco. As part of the DevOps Connect: DevSecOps co-located event, our GM Priyanka Sharma gave a keynote with Frederick Kautz. In their presentation, Priyanka and Frederick discussed the emergence of cloud native and the crucial role of security.
Missed the presentation? Check out the virtual replay on July 12, 2022, from 12:00 – 12:30 pm ET.
We sat down with Frederick to better understand CNCF’s security efforts and ways you can get involved:
Q: What is the role of security in cloud native?
Cloud native technologies power a significant portion of the world’s online services. If you are operating a cloud native infrastructure, you should familiarize yourself with the security features, tools, and best practices. The Cloud Native Security White Paper is an excellent place to start, which outlines a high-level overview and strategy for securing your systems.
Where you go after this depends on your situation. At the very minimum, you should generate an inventory of what applications and infrastructure you are using if you haven’t already. If you have any Kubernetes clusters in your environment, you can apply the CIS baseline for Kubernetes. Then start working towards building a secure software factory, a fancy name for a hardened CI/CD system that also produces provenance information about where software comes from. We have another white paper for that: https://www.cncf.io/blog/2022/05/20/announcing-the-secure-software-factory-reference-architecture-paper/. A reference implementation is being built by the OpenSSF at https://github.com/buildsec/frsca.
And finally, don’t neglect the developer experience. Ideally, developers are building applications that have minimal blast radius if compromised. Developers should familiarize themselves with the OWASP Top 10 and take steps to mitigate relevant common vulnerabilities. We also have several tools that can help provide critical infrastructure. For example, we have projects focusing on authentication, such as authorization with OPA, Kyverno, observability with Prometheus, OpenTelemetry, and Jaeger. Please note that this isn’t an exhaustive list or a recommendation for these projects over other CNCF projects. What you choose should be indicative of the requirements of your project.
Q: Is the open source approach secure? What are the benefits of participating in these efforts?
Like any software project, an open source project is only as secure as the developers’ practices. Open source projects range from worldwide efforts such as the Linux kernel and Kubernetes to toy projects people build to learn a technology and then abandon. When adopting any project, open or closed source, you should ask questions about your risk tolerance and determine whether the projects meet your requirements. Suppose you are building a business or life-critical application. It’s probably a good idea to bias towards well-supported open-source software. If you are well funded, establish a relationship with one of the leading vendors for the software you consume. In some scenarios, you may even hire a capable team who can help contribute to and maintain open source projects that are meaningful to your mission. Mature open source projects tend to amortize the cost of maintenance and reduce risk by increasing the diversity of contributing organizations, allowing for possible higher quality software with a lower total cost of ownership.
One exciting project that may help you determine the maturity of an open source project is OpenSSF’s Security Scorecards https://github.com/ossf/scorecard. The scorecards provide a means to analyze a project and provide meaningful guidance to help strengthen the security posture of a project. If you are a project maintainer, please consider adding a scorecard and work towards increasing your overall score. If you are a consumer, please consider asking the vendors you work with to contribute to adding a scorecard or expanding the project’s score.
Q: How can people get involved?
There are several ways you can get involved. The simplest thing you can do is educate yourself and your peers about the best practices for the technologies you employ. Certifications such as the CKA and CKS help guide what to learn and provide a credential you can use to demonstrate to others that you have a baseline level of knowledge on these topics.
Every CNCF project welcomes contributions, especially those focused on increasing security. If you are interested in participating, you can look up information about how the project developers communicate. E.g., Do they hold weekly community meetings? Discuss engineering topics on slack? Join the project’s community and ask questions about how you can help. Consider documenting and diagramming the architecture if no such documentation exists. Once the architecture is documented, create a threat model to help yourself and others understand and develop a defendable security stance.
There is also an opportunity to join and contribute to the CNCF Security Technical Advisory Group (Security TAG). The Security TAG is responsible for publishing security education resources, facilitating security assessments, identifying projects for CNCF inclusion, providing a venue for cross-pollination of knowledge, and integrating external standards. All experience levels are welcome.
Q: What resources or references would you recommend for someone new to cloud native?
In my opinion, the most significant strength cloud native has to offer is the community itself. I recommend getting involved with a community that shares your interests. Find local meetups in your area, join the CNCF slack, find discord communities that match your interests, and attend conferences if you can.
Other than the Kubernetes documentation, which is fantastic, I want to avoid singling out a specific set of resources or tutorials for learning how to architect, build, and operate Cloud Native technologies. Instead, I strongly recommend asking people in a community you join what they found helpful. Once you have a resource that fits your topic and learning style, consider implementing what you have learned. Early on, getting hands-on experience in what you are trying to learn is essential. Multiple projects let you run Kubernetes locally, such as kind, minikube, and k3s. Most major clouds also have a turn-key, production-quality Kubernetes solution that you or your employer can pay for. These tools make it easy to experiment and learn without fear.