Radio Cloud Native - Week of May 25, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week they discussed:

• Broadcom to acquire VMware

• Docker acquires Tilt

• KubeCon Europe 2022 in Review

• Security group: Over 380,000 Kubernetes API servers are open to the Internet

• DOJ: Good faith hackers can breathe easier

• CISA tells federal agencies to patch VMware products or stop using them

Follow Mirantis on LinkedInto receive our announcement of the next show’s broadcast.

Nick Chase: Reports are that Broadcom will announce tomorrow that it will acquire VMware for $60 billion.  So...that's a bit of news that needs picking apart.

First of all, it wasn't that long ago -- that is, just 6 months ago -- that we were reporting that Dell was spinning VMware out as an independent company. At the time we went over the history of the company, and its many twists and turns as far as being private and public and owned by this company or that one.  But the important thing here is that at the time, it was supposed to have a value of approximately $64 billion dollars.

No word on why there's such a discrepancy in the values, but the interesting part is why a company like Broadcom would choose to buy a virtualization company like VMware in the first place.

Eric Gregory: In other acquisition news, Docker Inc announced that it had acquired microservices development toolkit Tilt, bringing both the team and the project onboard. Tilt’s big focus is managing and coordinating dev environments for building microservices that run on Kubernetes. In Docker’s blog announcing the move, Tilt CEO Nick Santos says, quote, “We don’t know yet where this will take us. Maybe you’ll see Tilt & Kubernetes features in Docker Compose. Or maybe you’ll see Docker Desktop features in Tilt.”

Eric Gregory: Last week was KubeCon Europe 2022. Some of our colleagues were on hand to talk about Lens, Mirantis Kubernetes Engine, and more – if you were there, hopefully you got a chance to chat with them at the Mirantis booth. Nick and I tuned in virtually–we talked a bit about the announcement of Envoy Gateway on last week’s show, but this week we have the whole conference behind us and we can look back at some highlights. 

Security was a major trend running throughout the conference. The CNCF Technical Advisory Group released two new resources: an update to their Cloud Native Security whitepaper, and a reference architecture for a “Secure Software Factory.”

The Cloud Native Security whitepaper update adds a threat matrix for containers and specific use-cases dealing with ransomware incidents – which, you know, we talked about in-depth last week, and it’s only getting more important. 

In addition, the update delves into Supply Chain Security, as you’d expect, talking about the importance of Software Bills of Materials and secure CI/CD systems. Here, we see some notable crossover with the ten point open source security plan put forward earlier this month by the CNCF’s sister organization, the Open Source Security Foundation. The OSSF also emphasized Software Bills of Materials and noted that they’re nowhere near the level of adoption you’d want to see. I definitely recommend checking out the OSSF plan, which emerged out of the White House meeting on open source security in January. It’s an ambitious plan–like, estimated cost of almost $150 million ambitious–and calls for things like replacing key components written in non-memory-safe languages like C and C++, hardening critical build systems and package managers, advancing use of software signing, and educating developers on security. 

But getting back to the Cloud Native Security whitepaper, the May 2022 update also adds a section on the security dimensions of GitOps, discussing both security benefits of a declarative single source of truth and the contingencies you’re going to want to consider if you’re using GitOps, like limiting access and permissions and enforcing branch policy. Overall, well worth rereading, and there’s a nice changelog so you can quickly take in the new stuff.

And speaking of new stuff, the Secure Software Factory reference architecture is 100% fresh new documentation. The “Factory” terminology basically refers to creating a secure build pipeline, and this new resource aims to provide a comprehensive open source and cloud native architecture for verifying the provenance of software in your system. The premise here is that this is a foundational, sine qua non step for supply chain security–it might not be sufficient, but it’s necessary to pursue additional steps effectively. 

Taking a step back from security and looking at an even bigger picture, the CNCF also announced the release of the Cloud Native Maturity Model, which was formally unveiled by the Cartografos Working Group at Kubecon. The Cloud Native Maturity Model is aimed at giving folks who are looking at a cloud native move some guidance and some scaffolding for that journey. The full model is located on GitHub and organized into six documents covering People, Process, Technology, and Business Outcomes, along with a Prologue document that sets the stage. Overall, the model tries to capture essential dimensions of cloud native transformation, touching on everything from CI/CD to security to the social and organizational aspects of the move.

Nick Chase: Some additional security news out of Kubecon:

• Pure Storage is adding add anti-ransomware object locking in its Portworx PX-Backup product. Object locking helps protect against ransomware attacks by locking away copies of your data so you can use it to restore if necessary.

• Financial services company Citi, as in Citibank, is donating its prototype software supply chain security guidelines to OpenSSF's $150 million campaign.

• Secure Software Factory is a prototype toolchain that combines open source projects such as Tekton and Kyverno and follows CNCF best practices. When CNCF created a whitepaper last year setting out those best practices it didn't specify what tools, so Citi engineers did the work of putting together a package and now it's available as the Secure Software Factory project.

• Application security testing startup Oxeye Ltd. has announced its Cloud Native Application Security Testing platform is now Generally Available. SiliconAngle reports that the platform "identifies custom code and open-source vulnerabilities and software secrets to reveal the critical, exploitable security issues as an integral part [of] the software development lifecycle. The platform is said to deliver developers and application security teams clear insights that accelerate proper mitigation."

• Kubcon also saw the launch of Deepfence Cloud, a managed cloud service through which IT teams can discover vulnerabilities in their runtime environments.  Owen Garrett, head of products and community for Deepfence, told ContainerJournal that Deepfence Cloud is based on the ThreatStryker platform the company built to observe indicators of attack and compromises.

•  Trilio, announced a technical preview of its new “Continuous Restore” capability. Continuous Restore offers faster levels of replication, restoration and migration of data and metadata from any storage or cloud platform to another, dramatically improving recovery times for cloud-native applications.

• Entirely storage-, cloud- and distribution-agnostic, Trilio’s “Continuous Restore” capability will enable users to continuously stage data at multiple and heterogeneous clouds. This means that applications—regardless of where they reside—will be able to tap into that data and be brought online in seconds, achieving exceptional levels of Recovery Time Objectives (RTO). The capability will be introduced as part of the TrilioVault for Kubernetes cloud-native data protection and management platform.

Eric Gregory: In the world of telco, the CNCF is trying to make it easier for Communications Service Providers—such as telcos—to take advantage of cloud native technologies such as Kubernetes, so they've announced the Cloud Native Network Function (CNF) Certification Program to help these organizations identify which Network Equipment Providers (NEPs) follow cloud native best practices.

CNFs are applications that implement or facilitate network functionality in a cloud native way. CSPs and other telecom organizations are migrating away from traditional Virtual Network Functions (VNFs) toward CNFs and Kubernetes-based infrastructures that provide service reliability while lowering capital and operating expenses and encouraging cross-cloud compatibility. The program will enable NEPs and CNF creators to demonstrate the adoption of cloud native best practices in their networking products.

Nick Chase: The CNCF announced a couple of courses and certifications. First is the Prometheus Certified Associate (PCA) exam, a pre-professional certification designed for engineers or application developers with special interests in observability and monitoring within the Prometheus ecosystem.

It's modeled after Kubernetes certifications such as KCNA, CKA, or CKAD and is intended for candidates who have passed these certifications or have completed Prometheus-specific training or Cloud Engineer bootcamps. The exam is now in Beta testing and will be generally available later in 2022. 

But what I find interesting is the new "Ethics in Open Source Development", a new course which is intended to enable students to think about the real implications of the development they do, both in terms of software and hardware.  According to the CNCF blog, "As we build new software and other technologies, we do not often consider the ethical implications of these tools. Considerations like how a piece of code may be used by a malicious actor, whether a hardware design could be modified for a nefarious purpose, or simply how an algorithm might affect different classes of person differently are not always top of mind. However they should be. That is why Linux Foundation Training & Certification has partnered with the Cloud Native Computing Foundation (CNCF) and Ethical Intelligence to develop a free online training course, “Ethics in Open Source Development”.

"The course is designed primarily for product managers who want to learn how to effectively incorporate ethics-by-design techniques into their workflows, and developers wanting to apply ethics through critical thinking techniques and proven mental frameworks. It explores how to operationalize ethics as a tool for efficient and effective decision-making when developing and using open source technology as you explore critical thinking techniques and proven mental frameworks."

Eric Gregory: Last week, a nonprofit security group called the Shadowserver Foundation reported on its research finding that more than 380,000 Kubernetes API servers are open to the Internet at large in some form. Specifically, the API instances responded to probes with a 200 OK HTTP response. While the Shadowserver Foundation notes that not all of these internet exposures represent a vulnerability, they suggest that many, many, many of them are probably not deliberate and represent, quote, “an unnecessarily exposed attack surface.” 

Perhaps most strikingly, the roughly 380,000 figure comes out of a total of 454,729 analyzed instances, which means about 84% of all instances are open. Of these open instances, over 50% are hosted in the United States. Suggested mitigation is pretty simple – the Shadowserver Foundation recommends blocking or controlling access at the firewall level.

There was some good news for security volunteerism in general – the U.S. Department of Justice said last week that it will no longer prosecute security researchers and hackers who are demonstrably working in good faith to harden security. Previously, such researchers could easily be charged under the Computer Fraud and Abuse Act. The new directive defines good faith research and hacking as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In a very different sort of federal directive, last week the U.S. Cybersecurity and Infrastructure Security Agency (or CISA) told federal agencies to apply security patches to several VMware products immediately or stop using them. The products in question are Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, vRealize Suite Lifecycle Manager and VMware Cloud Foundation. This comes after the revelation of a critical vulnerability (CVE-2022-22972) that could allow a malicious actor to bypass authentication and obtain admin access. That’s a particularly big problem for Cloud Foundation, since it manages hybrid multicloud setups. 

The emergency directive from CISA includes instructions on patching, and we’ll share it in chat and in the show notes. Agencies were ordered to patch or pull affected products from production by May 23rd.