Abstract
The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. This has increased interest on application container counter-measures e.g. detection and mitigation of the high number of vulnerabilities affecting container images, in particular images retained at DockerHub. However, investigations on application-layer vulnerabilities in Microservice Architectures (MSA) such as Cloud Native Environments (CNE) is lacking. In this paper, we investigate both image and application layer vulnerabilities and apply vulnerability correlation to understand the dependence relationships between vulnerabilities found in these layers. The outcome of this analysis offers interesting insights applicable to risk management and security hardening of microservices e.g. deployment of vulnerability correlation-based security policies that are useful for vulnerability detection, risk prioritization and resource allocation. Our prototype implementation extends our previous security system: Cloud Aware Vulnerability Assessment System (CAVAS), which employs the Security Gateway concept for security policy enforcement. The Security Gateway leverages the client side discovery and registry cloud pattern for discovering microservices and the notion of dynamic document stores for exploring and testing RESTful microservices. Our experimental evaluation shows that the security gateway’s vulnerability detection rate out-performs that of traditional testing approaches with 31.4%. Also, we discover that about 26.2% of severity metrics for vulnerabilities detected by image security scanners is in-correct. Hence, correcting this information is a prerequisite step to vulnerability correlation. Our proposal can therefore be employed for efficient continuous security and risk assessments in CNE.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
References
Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Bird, J.: DevOpsSec Securing Software through Continuous Delivery. O’ Relliy Media Inc., Sebastopol (2016)
Rahman, A.A.U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: Proceedings of the International Workshop on Continuous Software Evolution and Delivery (2016)
Fielding, R.T., Taylor, R.N.: Architectural styles and the design of network-based software architectures, Ph.D. thesis (2000)
Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. In: Mazzara, M., Meyer, B. (eds.) Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67425-4_12
Souppaya, M., Morello, J. Scarfone, K.: Application container security guide (2017). https://doi.org/10.6028/NIST.SP.800-190
Torkura, K.A., Sukmana, M.I., Meinel, C.: Integrating continuous security assessments in microservices and cloud native applications. In: Proceedings of the 10th International Conference on Utility and Cloud Computing (2017)
Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on World Wide Web, pp. 396–407. ACM (2002)
Oppliger, R.: Security at the internet layer. Computer 31(9), 43–47 (1998)
Chen, P.-Y., Kataria, G., Krishnan, R.: Correlated failures, diversification, and information security risk management. MIS Q. 35, 397–422 (2011)
Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of official images in docker hub contain high priority security vulnerabilities. Technical report, BanyanOps (2015)
Combe, T., Martin, A., Di Pietro, R.: Containers: vulnerability analysis. Technical report, Nokia Bell Labs
Bila, N., Dettori, P., Kanso, A., Watanabe, Y., Youssef, A.: Leveraging the serverless architecture for securing linux containers. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (2017)
VMWare. Harbor. http://vmware.github.io/harbor/
Tak, B., Isci, C., Duri, S., Bila, N., Nadgowda, S., Doran, J.: Understanding security implications of using containers in the cloud. In: USENIX Annual Technical Conference (USENIX ATC 2017) (2017)
Zhang, M., Marino, D., Efstathopoulos, P.: Harbormaster: policy enforcement for containers. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)
Antunes, N., Vieira, M.: Designing vulnerability testing tools for web services: approach, components, and tools. Int. J. Inf. Secur. 16, 1–23 (2016)
Esposito, C., Castiglione, A., Choo, K.-K.R.: Challenges in delivering software in the cloud as microservices. IEEE Cloud Comput. 3(5), 10–14 (2016)
Thanh, T.Q., Covaci, S., Magedanz, T., Gouvas, P., Zafeiropoulos, A.: Embedding security and privacy into the development and operation of cloud applications and services. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE (2016)
Savchenko, D.I., Radchenko, G.I., Taipale, O.: Microservices validation: mjolnirr platform case study. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (2015)
Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1
Wichers, D.: Owasp top-10 2013. OWASP Foundation, February 2013
Alliance, C.S.: Domain 4: complaince and audit management (2011). https://cloudsecurityalliance.org/wp-content/uploads/2011/09/Domain-4.doc
Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)
Almorsy, M., Grundy, J., Ibrahim, A.S.: Adaptable, model-driven security engineering for SaaS cloud-based applications. Autom. Softw. Eng. 21(2), 187–224 (2014)
Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)
Davis, S.: Using the open API specification to find first and second order vulnerabilities in restful APIS (2016). https://2016.appsec.eu/wp-content/uploads/2016/07/AppSecEU2016-Scott-Davis-Scanning-with-Swagger.pdf
Homer, A., Sharp, J., Brader, L., Narumoto, M., Swanson, T.: Cloud Design Patterns. Microsoft Press (2014)
Roschke, S., Cheng, F., Schuppenies, R., Meinel, C.: Towards unifying vulnerability information for attack graph construction. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 218–233. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_18
Wang, L., Ma, R., Gao, H.R., Wang, X.J., Hu, C.Z.: Analysis of vulnerability correlation based on data fitting. In: Xu, M., Qin, Z., Yan, F., Fu, S. (eds.) CTCIS 2017. CCIS, vol. 704, pp. 165–180. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-7080-8_13
Torkura, K.A., Meinel, C.: Towards cloud-aware vulnerability assessments. In: 2015 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS) (2015)
Torkura, K.A., Sukmana, M.I. Cheng, F., Meinel, C.: Leveraging cloud native design patterns for security-as-a-service applications. In: 2017 IEEE International Conference on Smart Cloud (SmartCloud) (2017)
Bau, J. Bursztein, E., Gupta, D. Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy (SP), pp. 332–345. IEEE (2010)
Wolff, E.: Microservices: Flexible Software Architecture. Addison-Wesley Professional, Boston (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C. (2018). CAVAS: Neutralizing Application and Container Security Vulnerabilities in the Cloud Native Era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-01701-9_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01700-2
Online ISBN: 978-3-030-01701-9
eBook Packages: Computer ScienceComputer Science (R0)