May 20, 2022
How we secured a Cloud Native app-stack for a Custom Software Development firm
We conducted a comprehensive audit of our client’s Cloud environment, we discovered an exploit that could compromise the entire Kubernetes cluster.
.svg)
X
X
X
We conducted a comprehensive audit of our client’s Cloud environment, we discovered an exploit that could compromise the entire Kubernetes cluster.
Our client specialises in software development solutions and tech incubation. Their first app was an analytics and business intelligence solution that helps pharmaceutical executives manage and optimise their supply chains on a global level.
Our client’s cloud-native stack put an emphasis on heavy-duty data processing, and was built on a microservices architecture on Google Cloud Platform (GCP), orchestrated by Kubernetes.
Since the app had to pull in a lot of data from the ERP and supply chain systems, we45’s assessment focused on uncovering flaws that would allow for unauthorised access to data, or the manipulation of data in transit.
This was where our client saw their most serious security vulnerabilities, including unrestricted file uploads by users and lower-privilege users being able to access datasets they weren’t authorised for. Naturally, this wasn’t good for data confidentiality.
The company’s engineers worked quickly. By using randomly generated values to identify datasets in the backend, they remediated the vulnerabilities we’d identified, patching up the most critical ones first.
Their most serious security vulnerabilities were issues of privilege escalation.
We conducted a comprehensive audit of our client’s Google Cloud environment, specifically their Kubernetes Clusters configs, Docker Containers, and K8s pods. In doing so, we discovered an exploit that could compromise the entire Kubernetes cluster, as well as all the services running in it.
Our team generated detailed reports on all the flaws we identified, and assisted the company’s engineers in systematically mitigating each one. In doing so, we ensured only secure container images would be included in their container repository.
One of the reasons our client was so sought after in the industry was their intimate familiarity with application development innovations like Container orchestration with Kubernetes, and microservices architectures. This was critical for organisations looking to scale their apps on the cloud without a concomitant increase in cost.
With we45’s involvement, the company now has the confidence not just to offer their clients a cutting edge tech stack for their apps—but equally as important—they can confidently assure of industry-leading security standards that was simply not possible before.
we45's training program in Application Security Essentials helped a major public university system develop secure applications for medical research.The app started with just one research project and a handful of users in the beginning. Today, it host
