Advertisement

CAVAS: Neutralizing Application and Container Security Vulnerabilities in the Cloud Native Era

  • Kennedy A. TorkuraEmail author
  • Muhammad I. H. Sukmana
  • Feng Cheng
  • Christoph Meinel
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)

Abstract

The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. This has increased interest on application container counter-measures e.g. detection and mitigation of the high number of vulnerabilities affecting container images, in particular images retained at DockerHub. However, investigations on application-layer vulnerabilities in Microservice Architectures (MSA) such as Cloud Native Environments (CNE) is lacking. In this paper, we investigate both image and application layer vulnerabilities and apply vulnerability correlation to understand the dependence relationships between vulnerabilities found in these layers. The outcome of this analysis offers interesting insights applicable to risk management and security hardening of microservices e.g. deployment of vulnerability correlation-based security policies that are useful for vulnerability detection, risk prioritization and resource allocation. Our prototype implementation extends our previous security system: Cloud Aware Vulnerability Assessment System (CAVAS), which employs the Security Gateway concept for security policy enforcement. The Security Gateway leverages the client side discovery and registry cloud pattern for discovering microservices and the notion of dynamic document stores for exploring and testing RESTful microservices. Our experimental evaluation shows that the security gateway’s vulnerability detection rate out-performs that of traditional testing approaches with 31.4%. Also, we discover that about 26.2% of severity metrics for vulnerabilities detected by image security scanners is in-correct. Hence, correcting this information is a prerequisite step to vulnerability correlation. Our proposal can therefore be employed for efficient continuous security and risk assessments in CNE.

Keywords

Cloud-security Vulnerability assessment Vulnerability correlation Cloud native environments Application container security 

References

  1. 1.
    Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)CrossRefGoogle Scholar
  2. 2.
    Bird, J.: DevOpsSec Securing Software through Continuous Delivery. O’ Relliy Media Inc., Sebastopol (2016)Google Scholar
  3. 3.
    Rahman, A.A.U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: Proceedings of the International Workshop on Continuous Software Evolution and Delivery (2016)Google Scholar
  4. 4.
    Fielding, R.T., Taylor, R.N.: Architectural styles and the design of network-based software architectures, Ph.D. thesis (2000)Google Scholar
  5. 5.
    Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. In: Mazzara, M., Meyer, B. (eds.) Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-67425-4_12CrossRefGoogle Scholar
  6. 6.
    Souppaya, M., Morello, J. Scarfone, K.: Application container security guide (2017).  https://doi.org/10.6028/NIST.SP.800-190
  7. 7.
    Torkura, K.A., Sukmana, M.I., Meinel, C.: Integrating continuous security assessments in microservices and cloud native applications. In: Proceedings of the 10th International Conference on Utility and Cloud Computing (2017)Google Scholar
  8. 8.
    Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on World Wide Web, pp. 396–407. ACM (2002)Google Scholar
  9. 9.
    Oppliger, R.: Security at the internet layer. Computer 31(9), 43–47 (1998)CrossRefGoogle Scholar
  10. 10.
    Chen, P.-Y., Kataria, G., Krishnan, R.: Correlated failures, diversification, and information security risk management. MIS Q. 35, 397–422 (2011)CrossRefGoogle Scholar
  11. 11.
    Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of official images in docker hub contain high priority security vulnerabilities. Technical report, BanyanOps (2015)Google Scholar
  12. 12.
    Combe, T., Martin, A., Di Pietro, R.: Containers: vulnerability analysis. Technical report, Nokia Bell LabsGoogle Scholar
  13. 13.
    Bila, N., Dettori, P., Kanso, A., Watanabe, Y., Youssef, A.: Leveraging the serverless architecture for securing linux containers. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (2017)Google Scholar
  14. 14.
  15. 15.
    Tak, B., Isci, C., Duri, S., Bila, N., Nadgowda, S., Doran, J.: Understanding security implications of using containers in the cloud. In: USENIX Annual Technical Conference (USENIX ATC 2017) (2017)Google Scholar
  16. 16.
    Zhang, M., Marino, D., Efstathopoulos, P.: Harbormaster: policy enforcement for containers. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)Google Scholar
  17. 17.
    Antunes, N., Vieira, M.: Designing vulnerability testing tools for web services: approach, components, and tools. Int. J. Inf. Secur. 16, 1–23 (2016)Google Scholar
  18. 18.
    Esposito, C., Castiglione, A., Choo, K.-K.R.: Challenges in delivering software in the cloud as microservices. IEEE Cloud Comput. 3(5), 10–14 (2016)CrossRefGoogle Scholar
  19. 19.
    Thanh, T.Q., Covaci, S., Magedanz, T., Gouvas, P., Zafeiropoulos, A.: Embedding security and privacy into the development and operation of cloud applications and services. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE (2016)Google Scholar
  20. 20.
    Savchenko, D.I., Radchenko, G.I., Taipale, O.: Microservices validation: mjolnirr platform case study. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (2015)Google Scholar
  21. 21.
    Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-60876-1_1CrossRefGoogle Scholar
  22. 22.
    Wichers, D.: Owasp top-10 2013. OWASP Foundation, February 2013Google Scholar
  23. 23.
    Alliance, C.S.: Domain 4: complaince and audit management (2011). https://cloudsecurityalliance.org/wp-content/uploads/2011/09/Domain-4.doc
  24. 24.
    Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)Google Scholar
  25. 25.
    Almorsy, M., Grundy, J., Ibrahim, A.S.: Adaptable, model-driven security engineering for SaaS cloud-based applications. Autom. Softw. Eng. 21(2), 187–224 (2014)CrossRefGoogle Scholar
  26. 26.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  27. 27.
    Davis, S.: Using the open API specification to find first and second order vulnerabilities in restful APIS (2016). https://2016.appsec.eu/wp-content/uploads/2016/07/AppSecEU2016-Scott-Davis-Scanning-with-Swagger.pdf
  28. 28.
    Homer, A., Sharp, J., Brader, L., Narumoto, M., Swanson, T.: Cloud Design Patterns. Microsoft Press (2014)Google Scholar
  29. 29.
    Roschke, S., Cheng, F., Schuppenies, R., Meinel, C.: Towards unifying vulnerability information for attack graph construction. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 218–233. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04474-8_18CrossRefzbMATHGoogle Scholar
  30. 30.
    Wang, L., Ma, R., Gao, H.R., Wang, X.J., Hu, C.Z.: Analysis of vulnerability correlation based on data fitting. In: Xu, M., Qin, Z., Yan, F., Fu, S. (eds.) CTCIS 2017. CCIS, vol. 704, pp. 165–180. Springer, Singapore (2017).  https://doi.org/10.1007/978-981-10-7080-8_13CrossRefGoogle Scholar
  31. 31.
    Torkura, K.A., Meinel, C.: Towards cloud-aware vulnerability assessments. In: 2015 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS) (2015)Google Scholar
  32. 32.
    Torkura, K.A., Sukmana, M.I. Cheng, F., Meinel, C.: Leveraging cloud native design patterns for security-as-a-service applications. In: 2017 IEEE International Conference on Smart Cloud (SmartCloud) (2017)Google Scholar
  33. 33.
    Bau, J. Bursztein, E., Gupta, D. Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy (SP), pp. 332–345. IEEE (2010)Google Scholar
  34. 34.
    Wolff, E.: Microservices: Flexible Software Architecture. Addison-Wesley Professional, Boston (2016)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Kennedy A. Torkura
    • 1
    Email author
  • Muhammad I. H. Sukmana
    • 1
  • Feng Cheng
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso-Plattner-Institute for Digital EngineeringUniversity of PotsdamPotsdamGermany

Personalised recommendations