How best practices fix security holes in supply chain

Article By : B. Cameron Gain

Software and data risks are always present, but how security is managed and threats are resolved makes all the difference.

A server security hole, the CVE-2016-9962, in the relatively new virtualisation platform called container software has been detected and fixed before the damage became widespread. The vulnerability could have hobbled many supply chain networks around the world. Except that it didn’t.

The lesson learned: the backend software on the cloud for supply chain IT networks is vulnerable, but best practices can help to even the score against often daily attacks on any system. Supply chain and procurement managers’ expertise generally does not extend to server administration knowhow. However, that does not mean they should not have, at the very least, awareness of how and where the organisation’s and suppliers’ data is managed and stored. This includes awareness of threats such as CVE-2016-9962 and how they can fixed.

As the container platform incident shows, software and data risks are always present, but how security is managed and threats are resolved makes all the difference.

“There will always be security flaws such as this—it's the nature of software,” Josh Bressers, security strategist, for Red Hat, told EBN. “Rather than focus on a single bug, it's better to build resilient systems using current security practices and have the ability to move quickly. Those actions have a real outcome on understanding and controlling risk."

Indeed, there are always risks inherent in multitenant server environments such as containers, Amichai Shulman, CTO for Imperva, told EBN. “Choosing containers makes sense for what they offer and the risk is worth it, provided that systems are built and managed properly,” Shulman said. “This all depends on choosing the right cloud provider.”

Problem & fix

Supply chain operation that have begun to rely on container platforms run the gamut. They range from classic logistics tracking software on a cloud server to emerging artificial intelligence (AI) applications.

Like large metal crates used for shipping, virtual software containers, often belonging to different customers, are hosted on the same server and share a common root directory. The applications and associated data have separate operating systems like virtual machines do on the same server. However, these multiple software instances require much less computing power and memory to run compared to separate virtualised servers since they share many resources.

Trouble emerged when Docker, a leading containerisation software provider, issued a security alert a few weeks ago. It involved command access to the host server from containers in certain circumstances. Among other things, data from other containers could be accessed and exploited with the vulnerability.

Labelled by security Department of Homeland Security as CVE-2016-9962 in Common Vulnerabilities and Exposures, Docker promptly reported the threat and published a patch. The vulnerability was initially linked to Docker container systems, but Aqua Security said it applied to other systems as well.

For many security experts, the threat was par for the course whenever a new and useful server technology is introduced.

"It is inevitable with every new technology that vulnerabilities will be discovered, but a swift response from vendors and the availability of tools and best practices enable us to stay ahead of attackers,” Michael Cherny, head of security research for Aqua, told EBN. “Containers are becoming more and more secure as the technology matures, as users learn how to configure their environments properly, scan for vulnerabilities and apply runtime controls and monitoring.”

The big takeaway

For the large and growing number of supply chains relying on containerisation to save costs and boost IT efficiency, CVE-2016-9962 can serve as a test of how secure their backend IT infrastructure is.

Among cloud service providers, the large and established players such as Amazon and Google offer the safest way to ensure containers remain isolated, Shulman said. However, while they are generally more reliable than less-established providers, the big players do not ensure your firm’s individual container’s security.

As solution against future threats, organisations with supply chains that lack the in-house resources for security management need to rely on outside resources, Shulman said.

“It is all a matter of risk management. If you are a smaller organisation and have no in-house security capacity, some players might use the container services of an Amazon or a Google, and a third-party security services provider,” Shulman said. “In this case, they enjoy the best of both worlds.”

First published by EBN.