Search

US-12619470-B2 - Assessing security vulnerabilities in cloud-native applications

US12619470B2US 12619470 B2US12619470 B2US 12619470B2US-12619470-B2

Abstract

According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user and performing the operation.

Inventors

  • Hendrikus G.P. Bosch
  • Randy Birdsall
  • Alessandro DUMINUCO
  • Zohar Kaufman
  • Sape Jurriën Mullender

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20220509

Claims (20)

  1. 1 . A method performed by a distributed cloud-native application, the method comprising: testing one or more distributed cloud-native application components of the distributed cloud-native application; receiving a request from a user to perform an operation, wherein the user is associated with a risk profile; determining, based on the request, a call path through the distributed cloud-native application to perform the operation; classifying a risk level associated with the determined call path based on a distributed call graph, wherein the distributed call graph is generated prior to receiving the request and comprises a risk value for each call path of a plurality of call paths through the distributed cloud-native application and the risk value is determined after the testing and is based on a weakness rating associated with each component of the one or more distributed cloud-native application components in the call path; determining whether the risk level associated with the determined call path is acceptable based on the risk profile associated with the user; and upon determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user, performing the operation.
  2. 2 . The method of claim 1 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on a mapping of known vulnerabilities to image layers, images or libraries used to build the component.
  3. 3 . The method of claim 1 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on vulnerabilities discovered during the testing of the component.
  4. 4 . The method of claim 3 , wherein testing of the component comprises integration testing.
  5. 5 . The method of claim 3 , wherein testing of the component comprises at least one of chaos-testing and fuzz-testing.
  6. 6 . The method of claim 1 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on anomalies observed by external telemetry providers.
  7. 7 . The method of claim 6 , wherein the anomalies include at least one of a compromised transport layer security implementation, expired certification, reputation of a service provider, service usage amount, known adware or malware, and domain name.
  8. 8 . The method of claim 1 , wherein the distributed call graph is determined statistically.
  9. 9 . The method of claim 1 , wherein the request comprises input parameters and determining whether the risk level associated with the determined call path is acceptable is based on the input parameters.
  10. 10 . The method of claim 1 , further comprising: upon determining the risk level associated with the determined call path is not acceptable based on the risk profile associated with the user, blocking the operation.
  11. 11 . The method of claim 1 , further comprising obtaining updates to the distributed call graph.
  12. 12 . A cloud-native application host server comprises: a memory comprising instructions and a distributed call graph comprising a risk value for each call path of a plurality of call paths through a distributed cloud-native application and wherein each call path comprises one or more distributed cloud-native application components and the risk value is based on a weakness rating associated with each component of the one or more distributed cloud-native application components in the call path; a hardware processor; wherein the cloud-native application host server, when executing the instructions at the hardware processor, is configured to: test the one or more distributed cloud-native application components, wherein the risk value for each call path of the plurality of call paths is determined after the testing; receive a request from a user to perform an operation, wherein the user is associated with a risk profile; determine, based on the request, a call path through the distributed cloud-native application to perform the operation; classify a risk level associated with the determined call path based on the distributed call graph, wherein the distributed call graph is generated prior to receiving the request; determine whether the risk level associated with the determined call path is acceptable based on the risk profile associated with the user; and upon determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user, perform the operation.
  13. 13 . The cloud-native application host server of claim 12 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on a mapping of known vulnerabilities to image layers, images or libraries used to build the component.
  14. 14 . The cloud-native application host server of claim 13 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on vulnerabilities discovered during the testing of the component.
  15. 15 . The cloud-native application host server of claim 12 , wherein the weakness rating associated with each component of the one or more distributed cloud-native application components is based on anomalies observed by external telemetry providers.
  16. 16 . The cloud-native application host server of claim 15 , wherein the anomalies include at least one of a compromised transport layer security implementation, expired certification, reputation of a service provider, service usage amount, known adware or malware, and domain name.
  17. 17 . The cloud-native application host server of claim 12 , wherein the distributed call graph is determined statistically.
  18. 18 . The cloud-native application host server of claim 12 , wherein the request comprises input parameters and determining whether the risk level associated with the determined call path is acceptable is based on the input parameters.
  19. 19 . The cloud-native application host server of claim 12 , wherein the cloud-native application host server is further configured to: upon determining the risk level associated with the determined call path is not acceptable based on the risk profile associated with the user, block the operation.
  20. 20 . The cloud-native application host server of claim 12 , wherein the cloud-native application host server is further configured to obtain updates to the distributed call graph.

Description

RELATED APPLICATIONS This application claims priority to U.S. Provisional Application Ser. No. 63/217,045 entitled “Assessing Security Vulnerabilities in Cloud-Native Applications,” filed Jun. 30, 2021, the entire content of which is incorporated herein by reference. TECHNICAL FIELD This disclosure generally relates to cloud computing, and more specifically to assessing security vulnerabilities in cloud-native applications. BACKGROUND Being cloud-native is an approach to building and running applications that fully use the advantages of the cloud model. A cloud-native application uses a collection of tools that manage and simplify the orchestration of the services that make up the application. These services, each with its own lifecycle, are connected by application programming interfaces (APIs) and are deployed as containers. The containers may be orchestrated by a container scheduler that manages where and when a container should be provisioned into an application and is responsible for lifecycle management. Cloud-native applications are designed to be portable to different deployment environments: for example, in a public, private, or hybrid cloud. Continuous delivery and DevOps are methods used to automate the process of building, validating, and deploying services into a production network. Securing the public cloud is an increasingly difficult challenge for businesses. As a result, information technology (IT) departments are searching for cloud security solutions that provide sufficient end-user security. BRIEF DESCRIPTION OF THE DRAWINGS For a more complete understanding of the disclosed embodiments and their features and advantages, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which: FIG. 1 is a call graph for a cloud-native application; FIG. 2 is a flow diagram illustrating a method performed by a distributed cloud-native application, according to some embodiments; and FIG. 3 is a block diagram illustrating an example cloud-native application host server, according to particular embodiments. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview Cloud-native applications are, in essence, highly distributed applications and assessing if such applications are vulnerable to hacking attempts is difficult. First, understanding which application parts are used in the distributed set of application components is often not known until the application runs. Then, with the introduction of external application programming interface (API) services, understanding how such components integrate with the main application complicates security analysis further. Tracing API services is more difficult if such functions are not owned by the enterprise managing the application. Lastly, cloud-native applications carry data between the various components, some of which may be sensitive. Understanding and controlling what data goes where is instrumental to reducing security risk. It is important to track the operations of cloud-native applications and capture their operations to enable security personnel and/or developers, with their tooling, to assess where applications are vulnerable. When security personnel and/or developers can automatically assess such vulnerabilities, they can mitigate the risk of such vulnerabilities and install specific security policies to quarantine certain application aspects, restrict distribution of sensitive data to such application components, report and instruct development teams to get the application security fixed and more. Particular embodiments include mapping customer requests against cloud-native applications and, using a risk/reward scheme, determining if proceeding with the customer request falls within the operating mode of the enterprise hosting the cloud-native application and/or the customer. The risk is based on building a distributed call graph of the application using existing tracing techniques and then augmenting the call graph with known vulnerabilities and weaknesses for all application assets and by performing dynamic testing against application components. According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the ri