The open source tool enables cloud security teams to quickly respond to new CVEs in third-party Kubernetes tools
San Francisco, CA, May 9, 2023 – Kubernetes Security Operations Center (KSOC) announced today the release of the first ever Kubernetes Bill of Materials (KBOM) standard. Available in an easy, open source CLI tool, this KBOM enables cloud security teams to understand the scope of third party tooling in their environment so they can respond quicker to new vulnerabilities, which have become frequent in recent months. Despite the large third party ecosystem of tools for Kubernetes, Kubernetes has been largely ignored when it comes to compliance regulations for the software supply chain.
In the last months, new vulnerabilities have come up in varied Kubernetes tooling like Crossplane (rated High), the Jenkins plugin (rated Medium), CubeFS, and Clusternet. While the Software Bill of Materials (SBOM) has moved forward to the point of being a formal part of the NIST requirements required by the USA federal government in federal purchases, this requirement falls short of the deployment stage in the application development lifecycle, where Kubernetes into play.
“Kubernetes is orchestrating the applications of many of the biggest business brands we know and love. Adoption is no longer an excuse, and yet from a security perspective we continually leave Kubernetes itself out of the conversation when it comes to standards and compliance guidelines, focusing only on activity before application deployment, “ says KSOC CTO and Co-founder Jimmy Mesta. “We are releasing this KBOM standard as a first step to getting Kubernetes into the conversation when it comes to compliance guidelines. We also hope others will join in to contribute so the practitioners running their business critical apps on Kubernetes have practical tools to help with security.”
As teams continue their broad adoption of Kubernetes, there is an even broader need for a standard in terms of what the overall scope and configuration of a cluster should encompass. For short-staffed teams where Kubernetes expertise is already in short supply, this standard view can also help achieve efficiencies, as security and platform engineering teams work quickly at large scale to describe their Kubernetes environments to third parties. Despite the high adoption of Kubernetes, when it comes to security for Kubernetes, adoption is comparatively low, measured at 34% in 2022. One of the major barriers to interacting with any third party or stakeholder around adding security to a Kubernetes environment, is getting an accurate grasp on the scope of the environment itself.
The new KBOM standard provides a quick view of the scope of your Kubernetes cluster, including:
- Workload count
- Cost and type of hosting service
- Vulnerabilities for both internal and hosted images
- Third party customization, for example CRDs, authentication and service mesh solutions
- Version details for the managed platform, the Kubelet, and more
KSOC is a cloud native security company that helps development and cloud security teams ship applications faster and innovate by safely harnessing the power of Kubernetes. KSOC is the first and only vendor to use the Kubernetes lifecycle to surface the true risk of clusters at any point in time, plugging into the Kubernetes API event stream to surface, remediate and prevent the most significant security issues.