How to know if container environment variables can be trusted

Question

My application (or microservice, etc.) running in a container uses container environment variables. How can I know if the data should be trusted?

Answer

Fortify views all data that comes from outside the application code as a potential vector for an attack. It therefore marks all data coming into an application as potentially tainted and requires the data to be validated before it is used. This includes data from container environment variables. Additionally, sensitive data such as passwords and keys must not be stored as environment variables.

Best practice is to not trust container environment variables. Vulnerabilities in the operating system, the container itself, other applications or services running in the container, and misconfiguration can all lead to compromise of the container environment data. Recommendations therefore include:

  • All data should be validated close to where it is used, including data that is read from container environment variables. This best practice helps ensure all data is validated and that it is validated correctly for how it will be used.
  • Sensitive data must not be stored in container environment variables. Secret management technologies must be used. These are generally available from the public cloud provider, orchestration software, container software or a third party.

Additional Guidance

OIS Software Assurance recognizes that the above is not always feasible for all applications. To alternately show that container environment variable data used by an application can be trusted the following criteria must be met:

  • Requirement: The developer will need to provide documentation[1] that attests:
    • The container hosting the application was instantiated using authorized[2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts to ensure that the container data in question is protected from unauthorized access.
    • Required system security monitoring and system configuration monitoring is being performed to ensure that environment variable data used by an application running in a container is protected from unauthorized access.
  • Requirement: Any sensitive data such as passwords or keys should be encrypted and managed using for example Kubernetes secrets functionality[3] [4]
    • Secrets must not be stored in container environment variables
    • The developer must identify the secrets management technology used

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.

[3] This particular notional example’s functionality may not be sufficient based on project or ATO needs.

[4] The specific solution used for secrets management must be identified in the attestation or in a readme file.