Over the course of building and deploying cloud-native applications, the goals of developer and security teams will frequently seem at odds with each other. One is a force for expediting application delivery, and the latter is sometimes viewed as a hindrance to the innovation engine. More accurately, in their effort to mitigate risk, security teams become gatekeepers, and the slow down becomes the byproduct of that gatekeeping. In reality, both security and a lack of security have the potential to slow down innovation.
Research shows that security concerns, when unaddressed, lead to delays in application deployments. DevSecOps, as a discipline, rejects the dichotomy between infosec and dev teams by literally inserting security in between the dev and ops team. DevSecOps treats security as a shared responsibility between various teams and is predicated on embedding the security tooling and processes into the existing developer and operation (or DevOps) workflows with as much automation as feasible.
In a previous blog post, we covered the defining elements of DevSecOps and how you can start implementing the core pillars. What follows here is a non-comprehensive list of open-source DevSecOps tools that can help you get started with building, deploying, and running more secure containerized applications in Kubernetes.
Anchore
Anchore is an open-source image scanner and vulnerability management tool that detects known vulnerabilities in Docker images. Anchore Toolbox is a set of standalone open-source tools that includes Syft and Grype. Syft can generate a software bill of materials by looking at your images and filesystems while Grype scans images for vulnerabilities. When combined with Anchore Engine and integrated into your CI/CD tooling, users can automate security policy assessment and enforcement in their existing workflows. With a Kubernetes admission controller, Anchore can scan container images in your build and runtime stages.
Use cases for Anchore
- Image vulnerability scanning
- Policy enforcement
- Software bill of materials for container images
Checkov
Checkov is an open-source static code analysis tool to help enforce security and compliance policies for AWS, Azure, and Google Cloud. Checkov helps prevent cloud misconfigurations during build time for Terraform, Cloudformation, Kubernetes, and other infrastructure-as-code systems. Since user-driven misconfigurations are a leading security concern, Checkov can be a crucial tool to help lower your workload risk.
Use cases for Checkov
- Infrastructure-as-code scanning
- Cloud configuration management
- Compliance
Clair
Clair is an open-source container image vulnerability scanner and static analysis tool for Docker containers. Clair is utilized in the open source project Quay, a stand-alone container registry. If you are looking to avoid the cost of the commercial option, Clair is a great place to start, especially since Clair is the open source building block for many commercial container scanning solutions.
Use cases for Clair
- Image vulnerability scanning
Falco
Falco is an incubating CNCF open-source project that provides runtime visibility and introspection by consuming kernel events and combining them with data from Kubernetes to notify users of policy violations during Linux system calls. Falco is a popular project and is used in the Certified Kubernetes Security Specialist Exam (CKS) to assess test takers’ ability to check runtime events.
Use cases for Falco
- Runtime container analysis
- Threat detection
Kube-bench
Kube-bench is an open source security tool that runs checks to ensure Kubernetes is deployed in adherence to the CIS Kubernetes Benchmark. Kube-bench is best utilized for compliance in on-premise environments since managed Kubernetes clusters protect the control plane components to guarantee uptime, high availability and SLA’s. Kube-bench is also featured in the CKS exam.
Use cases for kube-bench
- Configuration management
- Compliance
Kube-hunter
Whereas kube-bench scans how Kubernetes is deployed, kube-hunter looks at the clusters deployed in Kubernetes to detect exploitable misconfigurations, such as an exposed Kubernetes Dashboard. There are a bunch of active and passive tests that will show where your misconfigurations lie. You can run kube-hunter from outside the cluster, on a cluster machine, or as a pod in the cluster. Each scenario will give you a different perspective on your cluster’s security posture.
Use cases for kube-hunter
- Configuration management
- Risk and impact
KubeLinter
KubeLinter is a static analysis tool for Kubernetes YAML files and HELM charts to help ensure they follow best practices for production readiness and security. KubeLinter ships with a handful of default checks and can also be configured to run custom checks. Developed as a Go binary, with the same packages as kubectl, KubeLinter is more straightforward than other policy tools and focuses on developer use and CI integration. KubeLinter utilizes config files to allow teams to scale their policies in their CI applications.
Use cases for KubeLinter
- Configuration management
- YAML/Helm chart linting
Open Policy Agent
Open Policy Agent (OPA) is a graduated CNCF open source project that enables users to standardize their policy creation and enforcement using OPA’s general-purpose policy engine. Besides Kubernetes, OPA can enforce policies when using cloud-native technologies such as Envoy, Terraform, and Kafka. OPA policies can even be translated into SQL to enforce rules within your database.
- Policy enforcement
Terrascan
Terrascan is an up-and-coming open source solution built on top of OPA. Terrascan has over 500+ Policies for security best practices across various applications, including Terraform, Kubernetes (JSON/YAML), AWS, Azure, GCP, Kubernetes, and GitHub. Terrascan shows the value of the OPA engine and extends it by recommending defaults instead of making users work with the Rego.
Use cases for Terrascan
- Configuration management
- YAML/Helm chart linting
To Summarize
When implemented correctly, DevSecOps principles will be integrated continuously across the software development life cycle, shift the security responsibility further to the left to minimize the operational overhead of bolting security controls later on, and enable developers and DevOps end users to become security users, allowing them to enforce security controls within their workflows independently.
With the emergence of cloud-native technologies like Kubernetes as the standard for managing applications in cloud and hybrid environments, security teams need to understand these technologies sufficiently to establish appropriate guardrails and controls. DevOps teams have to integrate robust security protections in the workflows and toolchains they use to provision infrastructure and build software applications in Kubernetes environments. When combined with the right people and processes, this list of open-source security tools can help your organization fulfill these aims and automate security in new and better ways.