Recently, we announced the availability of the Wiz Admission Controller to prevent risks from entering Kubernetes environments. Today, we are announcing a set of additional capabilities to Wiz's Admission Controller to enable organizations to further operationalize their shift left strategy, including the ability to:
Enforce fine-grained deployment time controls,
Centrally view all change attempts and policy failures in the environment,
Report admission controller events, and
Leverage Wiz CDR to define custom alerts for suspicious events in your cluster.
These new capabilities enable organizations to improve the security posture of their Kubernetes clusters and enable developers to ship faster with a reduced risk of security policy violations at deployment time.
The big shift left
Shifting left by integrating security measures earlier in the software development lifecycle has long been a goal for security and engineering teams. However, achieving this desired ideal state has been difficult to operationalize. This challenge is often attributed to the need for a singular platform that promotes a shared security language and understanding. In addition, a strong foundation for security on the right side of the pipeline is necessary before it can be effectively operationalized on the left. Finally, organizations must build trust between engineering and security teams to ensure a smooth integration of security measures throughout development. Overcoming these challenges is crucial for successfully shifting left and creating more secure infrastructure and applications. Wiz helps organizations overcome these challenges, transform their cloud security operating model, and adopt a shift-left security strategy.
One cloud security platform. One unified security policy. From code to cloud.
Wiz enables organizations to shift their security strategy left with Wiz Guardrails - which consists of the Wiz CLI and Wiz Admission Controller. Wiz Guardrails enables a single policy framework for both development and security teams spanning source to production that controls the CI/CD pipeline and the deployment of resources in your Kubernetes cluster. This single integrated cloud security approach breaks down technology and organizational silos to give security teams centralized control while unleashing developers.
The Wiz CLI scans containers and images for misconfigurations, vulnerabilities, network, IAM, and exposed secrets in the CI/CD pipeline. Developers and security teams gain end-to-end visibility into what was scanned in the pipeline and what passed or failed.
The Wiz Admission Controller extends the Wiz security policy framework to deployment time. It ensures all your incoming requests adhere to your organization's security policies and best practices, thereby improving your Kubernetes clusters' security posture. Scan Kubernetes resources (such as Pods, Accounts, Services, Ingresses, and Deployments) and enforce security policies before clusters create or modify resources.
New capabilities unlocked with the Kubernetes Admission Controller:
1. Fine-grained Kubernetes admission control policy
Improve the security posture of your Kubernetes cluster with targeted and fine-grained security control on your Kubernetes controller admission policy. The new capabilities enable you to define and detect containers that do not comply with your security policy at deployment time. Behaviors often associated with malicious behavior, such as unrestricted, highly privileged system-level calls or enabling read-write permissions to highly sensitive directories and volumes, can be identified and blocked.
2. View Kubernetes admission review rates
Gain a deeper understanding of your Kubernetes environment with a centralized view of all the change attempts made in your Kubernetes environment and the policies they failed. With Wiz’s dedicated admissions review page, you can easily analyze admission controller events and gain insights into which resources generated the event, which policy failed, and other important details.
3. View your Kubernetes event or create your own custom policies.
The Admission Controller in a Kubernetes cluster generates cloud events for every create and update operation that occurs within the protected environment. This provides valuable insight into the activities taking place in the cluster. By creating cloud event rules, customers can identify abnormal or suspicious behavior which could indicate a brute-force attack on the Kubernetes API. Additionally, customers can prioritize admission events based on their severity and set up alerts accordingly. For example, if a critical admission controller event occurs, the customer can configure an alert to notify them immediately.
These new capabilities extend the reach of Wiz Guardrails to enforce a single security policy across the software development pipeline to identify security issues early in the pipeline before they are deployed to production. Organizations benefit from improved security posture while reducing security bottlenecks in the pipeline to improve overall developer efficiency. Learn more about how you can use these new capabilities to learn from the right, then shift to the left. Check out the Wiz docs (login required) to get started. Have questions, comments, or feedback? Do reach out to Wiz. We love hearing from you. You can also learn more about how Wiz can help secure your containers and Kubernetes, by visiting https://www.wiz.io/solutions/container-and-kubernetes-security.
CVE-2023-25610 is a critical RCE vulnerability in FortiOS. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Affected customers should patch immediately.