Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.
Companies are struggling to address the gap that exists between how they're using containers and their level of confidence about security and misconfigurations. The more containers dominate application development, the more imperative it is to integrate container security measures throughout the process, bringing it earlier in the app dev process and integrating it with the orchestration layer. Portability and integration are critical as companies are trying to simultaneously operationalize and secure containers and microservices across hybrid and multi-cloud deployments.
The lag between container security and container adoption represents significant risks to individual businesses as well as the broader ecosystem. It's time to close this security gap before it widens, and DevOps has a central role to play. Properly deployed, containers enable more effective security practices than traditional infrastructure, and the cloud-native stack is particularly well-suited for cloud environments and complex ecosystems.
According to research from the StackRox State of Container Security 2018 Report, professionals using container technologies are most concerned about misconfigurations and runtime security. Incidents of attacks and breaches based on exposed Kubernetes settings have made headlines and jangled nerves. Even though misconfigurations are seen as a primary vulnerability, respondents are also focused on runtime security, perhaps because running containers in production is still fairly new and no one wants to risk discovering unknown issues post deployment.
DevOps is increasingly positioned as responsible for operating container security solutions
In reaction to these anxieties, organizations are trying a "shift left" approach, looking to address security earlier in the software development cycle. As a result, DevOps is increasingly positioned as responsible for operating container security solutions. The CI/CD process components (e.g., build automation, developer tools) are closely linked to container security, which pushes security and DevOps teams to shift towards greater cooperation and collaboration with each other.
To facilitate shrinking the gap between adoption rates and security maturity — and between traditional security and development silos — organizations should seek container security solutions that reflect the DevOps model, workflow, and processes. Avoiding the headlines that keep security leaders up at night requires solutions that address container and orchestrator misconfigurations and also deliver runtime security functions with adaptive detection to reduce false alerts.
DevOps teams want solutions with security controls that leverage cloud-native infrastructure. In other words, a solution that uses the network policy enforcement built into Kubernetes is preferable to one that creates a separate security layer. Portability across mixed environments (on-prem, hybrid, multi-cloud, managed) is important for similar reasons.
To better support container security, DevOps requires visibility and intelligence at the deployment level. If information is limited to the container-level perspective, staff don't have the big picture context to make decisions or garner insights. Risk mitigation information, including context about what needs to be addressed and why, should be provided directly to all appropriate DevOps teams.
Speaking of the bigger picture, as digital transformation accelerates across industries and containers come into wider use in critical production environments, security practices need to keep pace. Already, security teams are frequently caught unaware, surprised at how broadly containers are being used in their organization. While the mechanics need to be container-specific and tied to various build, deploy, and run stages, the core functionality should resemble best-in-class network and endpoint solutions: identify and manage assets; prioritize the riskiest elements; automatically harden the environment; and detect and block malicious actors.
Container security should reach way beyond what a bolt-on solution can touch. Kubernetes, the orchestrator chosen most for container deployments, is the core engine of effective container security. DevOps should help bridge the gap between adoption and security by focusing on Kubernetes protection and hardening. Teams that settle on Kubernetes, and then build tools and systems that rely on it, will solve a lot of the security risks going forward. As Kubernetes is increasingly crowned the OS of the cloud, many security challenges will be simplified.
Through the migration to the cloud, central IT has turned its focus to enabling applications instead of running infrastructure. Security is likewise shifting to enabling rather than operating security tools. As organizations become more focused on application development, DevOps will move toward center stage as the roles and responsibilities of the group expand. In containerized environments, the security team will define policies and put guardrails in place, but DevOps will operate the security tools tied to microservices and containerized applications.
The CISO will grow into a more strategic role, shaping policy and working to embed security functions and "shift left" even more.
The granularity of container technology presents new opportunities to optimize security resilience and agility. In cloud-native environments, the control layer and data plane are mixed together; DevOps can programmatically secure the application by writing in a layer of logic to maintain continuous and instantaneous enforcement. With monolithic applications, security gaps were often found only in production, when all dependencies were in full effect; with container security, they can be found much earlier. Moreover, security gaps can be addressed without breaking or refactoring the whole application.
Risk resilience, security agility, and granular control will be essential to achieving container excellence. Bringing in DevOps to take advantage of the security strengths of Kubernetes and cloud-native environments will help organizations keep pace with their own innovation and close security gaps and create a strong foundation for future opportunities, challenges, and growth.