Pandora’s Box

 In ITC's Threat of the Week

At the ITC Cyber Summit this year, which was well attended and according to feedback “interesting”, we made some predictions for the coming year. Amongst them was this:

Containerisation, Cloud and Agile, what could possibly go wrong?

 There is a furious rush to migrate to cloud based containerised services and develop applications at breakneck speed and amongst other things, satisfy the demand for B-C rather than B-B solutions. Security – architectural and operational, appears to be at most an afterthought in many cases. This will end in tears.

 One or more large breaches will be directly due to a cloud migration. A can of worms will be exposed and the regulator will reach for the hairbrush of spanking.

As you probably know, Pandora’s box is “A present which seems valuable but which in reality is a curse“. In our opinion, containerisation is exactly that.

The rush to optimise compute cycles and leverage Unicorns such as Amazon’s Lambda (serverless compute, don’t you know!)  is leading to an implicit trust of the delivery architecture, be it Docker, Kubernetes or integrated platforms like MuleSoft.

We know that the code at the core of most of these platforms is old school Unix/Linux shizzle, most probably open source and exploited for profit, so it came as no surprise to us that a vulnerability in a piece of containerisation code has a massive bug in it that enables regular guest containers to access the motherlode.

As regular readers will know, we do not do Fear, Uncertainty and Doubt marketing. However, we do know that rapid deployment and delivery cycles rely on this sort of underlying technology, which is assumed to be secure and stable. That is a huge mistake and as we have said before will most certainly end in tears.

Please do not let these be yours.

Enterprise architects (tortoises) need to catch up with agile developers (hares) before the assumptions of platform integrity become a full on house built on straw.

All of these branded solutions use common code. One bug = pandemic. Appropriate architectural and security controls, boring as the may seem, must apply.

If you are Black Belt Scrum Master on a mission from God, and wish to discuss buying a bigger shovel, please contact us at: [email protected] or call 020 7517 3900.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+1 202-452-9133