Abstract
Microservices are pervading enterprise IT, and securing microservices hence became crucial. KubeHound is an open-source tool devised for this purpose, as it enables detecting instances of so-called security smells in microservice applications deployed with Kubernetes. KubeHound features a plugin-based extensibility, meaning that its smell detection capabilities can be extended by developing plugins implementing additional smell detection techniques. In this demo paper, we illustrate how to extend KubeHound with plugins enabling to detect two different instances of the own crypto code security smell, whose detection was not yet featured by KubeHound. We also show the practical use of the newly added plugins by applying them to case studies, two of which are based on existing, third-party microservice applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A video showing how to run KubeHound with the newly added plugins is publicly available online: https://youtu.be/3lSC7pO2vmQ.
- 2.
The implementation of the plugins is publicly available on GitHub: https://github.com/di-unipi-socc/kube-hound/tree/master/kube_hound/builtin_analyses.
- 3.
- 4.
- 5.
References
Aqua Security Software: Kube Bench. https://github.com/aquasecurity/kube-bench
Aqua Security Software: Kube Hunter. https://github.com/aquasecurity/kube-hunter/
Balalaie, A., Heydarnoori, A., Jamshidi, P.: Microservices architecture enables devops: migration to a cloud-native architecture. IEEE Softw. 33(3), 42–52 (2016). https://doi.org/10.1109/MS.2016.64
Berardi, D., Giallorenzo, S., Mauro, J., Melis, A., Montesi, F., Prandini, M.: Microservice security: a systematic literature review. PeerJ Comput. Sci. 8 (2022). https://doi.org/10.7717/peerj-cs.779
Bocci, A., Forti, S., Ferrari, G.L., Brogi, A.: Secure FaaS orchestration in the fog: how far are we? Computing 103, 1025–1056 (2021). https://doi.org/10.1007/s00607-021-00924-y
Chondamrongkul, N., Sun, J., Warren, I.: Automated security analysis for microservice architecture. In: 2020 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 79–82 (2020). https://doi.org/10.1109/ICSA-C50368.2020.00024
Control Plane: KubeSec - Security risk analysis for Kubernetes resources. https://kubesec.io/
DellImmagine, G., Soldani, J., Brogi, A.: KubeHound: detecting microservices’ security smells in Kubernetes deployments. Future Internet 15(7) (2023). https://doi.org/10.3390/fi15070228
Fehrer, T., Lozoya, R., Sabetta, A., Di Nucci, D., Tamburri, D.: Detecting security fixes in open-source repositories using static code analyzers. CoRR abs/2105.03346 (2021)
Ferech, M., de Bruijn, T., Ponsard, N.: OpenAPI fuzzer. https://github.com/matusf/openapi-fuzzer
Google Cloud Platform: Online Boutique. https://github.com/GoogleCloudPlatform/microservices-demo
Khan, A.: How to secure your microservices: shopify case study. Dzone (2018)
NIST: Guideline for using cryptographic standards in the federal government: cryptographic mechanisms. NIST Special Publication 800-175B, Revision 1 (2020)
Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Smells and refactorings for microservices security: a multivocal literature review. J. Syst. Softw. 192, 111393 (2022). https://doi.org/10.1016/j.jss.2022.111393
Prisma Cloud: Checkov. https://www.checkov.io
Rahman, A., Parnin, C., Williams, L.: The seven sins: security smells in infrastructure as code scripts. In: Bultan, T., Whittle, J. (eds.) 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE 2019), pp. 164–175. IEEE Computer Society (2019). https://doi.org/10.1109/ICSE.2019.00033
Richards, M.: Software Architecture Patterns, 1st edn. O’Reilly Media Inc., Newton (2015)
Schneider, S., Scandariato, R.: Automatic extraction of security-rich dataflow diagrams for microservice applications written in Java. J. Syst. Softw. 202, 111722 (2023). https://doi.org/10.1016/j.jss.2023.111722
Soldani, J., Tamburri, D.A., Van Den Heuvel, W.J.: The pains and gains of microservices: a systematic grey literature review. J. Syst. Softw. 146, 215–232 (2018). https://doi.org/10.1016/j.jss.2018.09.082
Sonar Solutions: SonarQube: Documentation. https://docs.sonarsource.com/sonarqube/
Weaveworks, Container Solutions: Sock Shop. https://microservices-demo.github.io/
ZAP Dev Team: Zed Attack Proxy. https://www.zaproxy.org/
Zdun, U., et al.: Microservice security metrics for secure communication, identity management, and observability. ACM Trans. Softw. Eng. Methodol. 32(1) (2023). https://doi.org/10.1145/3532183
Acknowledgments
This work has been partly supported by the research project FREEDA (CUP: I53D23003550006), funded by MUR (Italy) under the framework PRIN 2022.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Howard-Grubb, T., Soldani, J., Dell’Immagine, G., Fontana, F.A., Brogi, A. (2024). Smelling Homemade Crypto Code in Microservices, with KubeHound. In: Monti, F., et al. Service-Oriented Computing – ICSOC 2023 Workshops. ICSOC 2023. Lecture Notes in Computer Science, vol 14518. Springer, Singapore. https://doi.org/10.1007/978-981-97-0989-2_27
Download citation
DOI: https://doi.org/10.1007/978-981-97-0989-2_27
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-0988-5
Online ISBN: 978-981-97-0989-2
eBook Packages: Computer ScienceComputer Science (R0)