# Insecure Default Initialization of Resource (CWE-1188) The product initializes a resource in an insecure way that is not in line with the intended privileges for the resource. **Stack:** Kubernetes - Prevalence: Wysoka Często wykorzystywana - Impact: Średni Zalecany przegląd - Prevention: Udokumentowane 2 przykładów poprawek **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description When resources are initialized with insecure default settings, they may expose functionality or data that should be protected. Users may not realize they need to change default settings. ## Prevention Strategie zapobiegania dla Insecure Default Initialization oparte na 2 regułach detekcji Shoulder. ### Kubernetes Deploy resources to an explicit namespace instead of 'default' for better isolation Add liveness and readiness probes to ensure Kubernetes can monitor container health ## Warning Signs - [LOW] Resource deployed to default namespace instead of explicit namespace - [LOW] resources deployed to the default namespace - [LOW] Container is missing liveness and/or readiness probes. - [LOW] containers missing liveness and/or readiness probes ## Consequences - Obejście mechanizmu ochrony - Odczyt danych aplikacji - Uzyskanie uprawnień ## Mitigations - Stosuj bezpieczne wartości domyślne we wszystkich konfiguracjach - Dokumentuj implikacje bezpieczeństwa poszczególnych ustawień - Wymagaj wyraźnej zgody (opt-in) dla opcji niezabezpieczonych ## Detection - Total rules: 2 - Languages: yaml ## Rules by Language ### Yaml (2 rules) - **Using Default Namespace** [LOW]: Detects resources deployed to the default namespace. - Remediation: Use an explicit namespace instead of 'default' for better organization and isolation. - **Missing Health Probes** [LOW]: Detects containers missing liveness and/or readiness probes. - Remediation: Add liveness and readiness probes. ```yaml livenessProbe: httpGet: path: /healthz port: 8080 ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-1188/missing-health-probes