Kubernetes Bill of Materials (KBOM) open-source tool enhances cloud security response to CVEs

Kubernetes Security Operations Center (KSOC) released the first-ever Kubernetes Bill of Materials (KBOM) standard.

Available in an open-source CLI tool, this KBOM enables cloud security teams to understand the scope of third-party tooling in their environment to respond quicker to new vulnerabilities, which have become frequent in recent months. Despite the large third-party ecosystem of tools for Kubernetes, Kubernetes has been largely ignored regarding compliance regulations for the software supply chain.

In recent months, new vulnerabilities have emerged in varied Kubernetes tooling like Crossplane (rated High), the Jenkins plugin (rated Medium), CubeFS, and Clusternet. While the Software Bill of Materials (SBOM) has moved forward to the point of being a formal part of the NIST requirements required by the USA federal government in federal purchases, this requirement falls short of the deployment stage in the application development lifecycle, where Kubernetes into play.

“Kubernetes is orchestrating the applications of many of the biggest business brands we know and love. Adoption is no longer an excuse, and yet from a security perspective, we continually leave Kubernetes itself out of the conversation when it comes to standards and compliance guidelines, focusing only on activity before application deployment,” says KSOC CTO Jimmy Mesta.

“We are releasing this KBOM standard as a first step to getting Kubernetes into the conversation when it comes to compliance guidelines. We also hope others will join in to contribute so the practitioners running their business-critical apps on Kubernetes have practical tools to help with security,” Mesta concluded.

As teams continue their broad adoption of Kubernetes, there is an even broader need for a standard in terms of the overall scope and configuration of a cluster. For short-staffed teams where Kubernetes expertise is already in short supply, this standard view can also help achieve efficiencies, as security and platform engineering teams work quickly at a large scale to describe their Kubernetes environments to third parties.

Despite the high adoption of Kubernetes, when it comes to security for Kubernetes, adoption is comparatively low, measured at 34% in 2022. One of the major barriers to interacting with any third party or stakeholder around adding security to a Kubernetes environment, is getting an accurate grasp on the scope of the environment itself.

The new KBOM standard provides a quick view of the scope of your Kubernetes cluster, including:

• Workload count
• Cost and type of hosting service
• Vulnerabilities for both internal and hosted images
• Third-party customization, for example CRDs, authentication and service mesh solutions
• Version details for the managed platform, the Kubelet, and more