Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

The ease of containers makes them inviting targets, but you can flip the script

By Phillip Cockrell

Containers are great for quickly spinning up applications, particularly at scale with Kubernetes, but their ease-of-use sometimes leads to lax maintenance and vetting, which can leave you vulnerable to the common exploits hackers like to use most.

The problem is container images contain built-in unknowns, aren’t immune to well-known security flaws or zero-day threats, and aren’t patched nearly as often as VMs. If you deploy hundreds or thousands of Kubernetes pods based on an insecure image, each node presents fertile ground to hackers.

Playing defense keeps DevSecOp teams busy trying to protect large deployments and small. You and your team have to stay current, react to known threats and chase down vulnerabilities over and over again. 

Traditional approaches don’t lend themselves well to containers

To stay ahead of threats in a VM paradigm, you might create physical and network barriers to keep hackers out, but in Kubernetes, with virtual networks and shared resources, isolation comes in the form of security policies and layers that restrict client applications.

Unfortunately, adding layers usually adds overhead and bloat, hurts performance and bogs down deployments. You may accept that extra overhead as the price to pay for better security, but even with these countermeasures, every Kubernetes pod remains fundamentally identical and equally vulnerable.

A different approach that flips the script

Instead of reacting to the latest threats it would be great to go on offense by making your images unique and unrecognizable to hackers. Polymorphism does that by scrambling and recompiling Linux, packages and your custom code into unique, hardened images — without changing how they perform.

Polyverse Polymorphing uses polymorphism to change most aspects of your containers so hackers looking to exploit well-known filesystems will be stumped while your applications run just as they always have.

Proactive container security without the fire drill

Polymorphing and Polymorphic Build Farm for Open Source easily integrate into your existing CI/CD tooling, ensuring you can deploy trusted code anywhere you want it, including Kubernetes clusters, cloud or on-prem VMs or bare-metal servers.  

The result is pods based on unique images that you can rescramble daily, on your regular maintenance schedule or any timeline your use-case demands. Stock exploits simply won’t work. Hackers have to chase you, not the other way around.

Our new white paper takes a closer look at the challenges of securing containers, particularly in large-scale Kubernetes use cases. It explains the need for proactive security solutions that address the unique nature of containers, the build process, and an innovative approach to securing them that can enable you to take full advantage of the power of Kubernetes. 


Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.