CAVAS: Neutralizing application and container security vulnerabilities in the cloud native era

Abstract

The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. This has increased interest on application container counter-measures e.g. detection and mitigation of the high number of vulnerabilities affecting container images, in particular images retained at DockerHub. However, investigations on application-layer vulnerabilities in Microservice Architectures (MSA) such as Cloud Native Environments (CNE) is lacking. In this paper, we investigate both image and application layer vulnerabilities and apply vulnerability correlation to understand the dependence relationships between vulnerabilities found in these layers. The outcome of this analysis offers interesting insights applicable to risk management and security hardening of microservices e.g. deployment of vulnerability correlation-based security policies that are useful for vulnerability detection, risk prioritization and resource allocation. Our prototype implementation extends our previous security system: Cloud Aware Vulnerability Assessment System (CAVAS), which employs the Security Gateway concept for security policy enforcement. The Security Gateway leverages the client side discovery and registry cloud pattern for discovering microservices and the notion of dynamic document stores for exploring and testing RESTful microservices. Our experimental evaluation shows that the security gateway’s vulnerability detection rate out-performs that of traditional testing approaches with 31.4%. Also, we discover that about 26.2% of severity metrics for vulnerabilities detected by image security scanners is in-correct. Hence, correcting this information is a prerequisite step to vulnerability correlation. Our proposal can therefore be employed for efficient continuous security and risk assessments in CNE.