Kubernetes flaw shows API security is no ‘set & forget’ deal

When a report surfaced last month detailing a ‘severe vulnerability’ in Kubernetes, the popular, open-source software for managing Linux applications deployed within containers, many of us will have wondered what the deeper implications of this alleged flaw could mean.

Although the flaw was quickly patched, it allowed any user to escalate their privileges to access administrative controls through the Kubernetes API server.

As the above linked report explains, with this, they can create requests authenticated by Kubernetes’ own Transport Layer Security (TLS) credentials and mess with any container running on the same pod.

Senior principal consultant at Synopsys Andrew van der Stock spoke to the Computer Weekly Open Source Insider blog to explain that although APIs make the friction of doing business much less, securing APIs should be the focus of every organisation that uses them.

“APIs can be difficult to test by traditional security testing tools and approaches — and to a certain extent, the security industry has not kept up, primarily because most are not developers themselves,” claimed van der Stock.

Shift left

He recommends that the security industry needs to shift left, adopt the same tooling as developers… and write unit and integration tests that fully exercise APIs, particularly those that have the potential to alter the state of an application or extract bulk personal information.

“Organisations publishing APIs for public consumption should carefully select design and technical controls to protect against known threats, including anti-automation, and far better monitoring to detect breaches. APIs are designed to be called after all, and when they function without errors, monitoring cannot just be of failed attempts, but also include threshold breaches around extensive and sustained access to sensitive records or changes to configuration,” said van der Stock.

No ‘set-&-forget’

The fact is, breaches such as these can be deterred and detected by well configured API gateways, but they are not a ‘set-&-forget’ security defence, they have to be carefully and continuously monitored.

The Synopsys consultant recommends the upcoming OWASP Application Security Verification Standard 4.0, OWASP Serverless Top 10, API cheat sheets and other API specific projects.

API monitoring is the entire point of  Open Web Application Security Project (OWASP) Top 10 A10:2017 – Insufficient monitoring and logging.

Synopsys’ van der Stock: API gateways must be carefully and continuously monitored.