Kubernetes Security Plagued by Human Error, Misconfigs


Container orchestration is hard enough — yes, we’re looking at you Kubernetes — but properly securing container and Kubernetes environments catapults deployment into another universe of complexity. Findings from StackRox’s latest “State of Container and Kubernetes Security Report” indicate that human error and misconfigurations are the primary culprits for Kubernetes security snafus.

Assisted by research and advisory firm 451 Research, StackRox polled more than 540 Kubernetes and container users across IT security, DevOps, engineering, and product roles.

The survey results found that 94% of respondents experienced at least one container security incident in the past 12 months. Consequently, 44% of respondents were then delayed in moving their applications into production because of security concerns in what StackRox’s VP of marketing Michelle McLean called “two likely related findings.”

Exposures and data breaches due to misconfigurations — a result of human error — trump all other security concerns in what StackRox said has become an “alarmingly common” trend.

“The nearly universal experience of having suffered a security incident, delays in application rollouts because of security concerns, and a steep learning curve are all limiting the ability of these companies to realize the benefits of the cloud-native stack,” McLean added

Featured Webinar
5G Depends on a Strong, Secure Foundation Placeholder Image
5G Depends on a Strong, Secure Foundation
5G Depends on a Strong, Secure Foundation
Sponsored By Red Hat

Learn how Red Hat Enterprise Linux 8 has been enhanced with advanced features to support 5G, edge, virtualized, containerized and hybrid cloud use cases.

By clicking the link, I consent to share my contact information with the sponsor(s) of this content, who may reach out to you as part of their marketing campaigns, and register for SDxCentral email communications. See how we use your data: Privacy Policy.

Kubernetes Complexity
The study drew significant attention to the complexity of Kubernetes and to the challenges with configuring it securely, McLean said.

Sixty-one percent of respondents cited misconfigurations as the source of risk they’re most concerned about compared to the 27% who identified vulnerabilities as the biggest concern and 12% that named attacks as their top concern.

“People understand that Kubernetes has a lot of knobs and dials, and it’s easy to get it wrong — and misconfigurations also represent the security risk they’ve experienced more than any other,” McLean added.

Companies are just as quick to jump on the container bandwagon as they are to condemn its security vulnerabilities, which, in many ways is just as reckless as cutting bangs without considering the constant maintenance they require.

Findings from the survey are a clear indication that organizations are putting at risk the core benefit of faster application development and release by not ensuring their cloud-native assets are built, deployed, and running securely.

“With the prevalence of misconfigurations across organizations, security must shift left to be embedded into DevOps workflows instead of ‘bolted on’ when the application is about to be deployed into production,” the report said.

Security: A Kubernetes Nightmare
Following a year of numerous security bugs within the Kubernetes ecosystem and the first security audit of Kubernetes conducted by the Cloud Native Computing Foundation (CNCF), which hosts the open source platform, continued wide-spread adoption has seen security become somewhat of an afterthought.

However, if security concerns continue inhibiting business innovation, does that fall on businesses for neglecting security practices or the market for not providing them with the tools to confidently secure their deployments?

“People just get security wrong sometimes,” McLean said. “Companies need a combination of increased learning, cross-pollination, new tooling, and updated processes to identify and remediate these security ‘mistakes’ during build and deploy vs. waiting for exposure during runtime.”

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x