Just Released: Kube-Scan Open Source Scanning Tool for Kubernetes
- By John K. Waters
A startup focused on Kubernetes security has released an open source risk assessment tool for the popular container orchestration platform. Cloud-native app security provider Octarine's Kube-Scan is a cluster risk assessment tool for developers that scans Kubernetes configurations and settings to identify and rank potential vulnerabilities in applications in minutes.
The tool's risk score is based on Octarine's own Kubernetes Common Configuration Scoring System (KCCSS), a framework similar to the widely used Common Vulnerability Scoring System (CVSS). The KCCSS is similar to the CVSS, but it focuses on the configurations and security settings themselves. As the company explains it on GitHub:
Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules and allows users to calculate a risk for every runtime setting of a workload and then to calculate the total risk of the workload.
The KCCSS was designed to show the potential impact of risky configuration settings in three areas: confidentiality (exposure of PII, potential access to secrets, PII, et cetera), integrity (unwanted changes to the container, host or cluster such as being able to change the runtime behavior, launch new processes, new pods, et cetera) and availability (exhaustion of resources, Denial of Service, et cetera).
To rate a risk, the KCCSS takes into account the "blast radius," the company explained -- in other words, is the risk limited to the container or can it affect the entire cluster -- as well as the ease of risk exploitation and whether an attack would require local access or can be executed remotely. "It combines all of the security risks associated with a workload, along with the required remediations, to attribute an overall risk score to the workload," the company says.
Both the scoring formula and the risk and remediation rules are open source and available on GitHub. The list of rules can be expanded to include vendor-specific remediations, risks and remediations for different Kubernetes distributions or cloud providers, as well as risks and remediations for additional tools installed. The company is keen to build a community around KCCSS and is encouraging "any kind of contribution, review of existing rules, new rules, better formulas, and so on."
"We designed KCCSS to be easily expanded by others," said Julien Sobrier, head of Octarine's product group, "whether they are security vendors, open-source developers or Kubernetes users. You can easily add rules to represent risks or remediations brought by different Kubernetes tools and services to ensure you have a comprehensive view of your security posture. We welcome all contributions from the community and other vendors, so please join us to make improvements to existing rules, create new generic Kubernetes rules, vendors rules, etc."
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].