Catching Up and Closing the Gap: DevOps Alignment Advances the State of Container Security
March 11, 2019

Ali Golshan
StackRox

Companies are struggling to address the gap that exists between how they're using containers and their level of confidence about security and misconfigurations. The more containers dominate application development, the more imperative it is to integrate container security measures throughout the process, bringing it earlier in the app dev process and integrating it with the orchestration layer. Portability and integration are critical as companies are trying to simultaneously operationalize and secure containers and microservices across hybrid and multi-cloud deployments.

The lag between container security and container adoption represents significant risks to individual businesses as well as the broader ecosystem. It's time to close this security gap before it widens, and DevOps has a central role to play. Properly deployed, containers enable more effective security practices than traditional infrastructure, and the cloud-native stack is particularly well-suited for cloud environments and complex ecosystems.

Major Concerns

According to research from the StackRox State of Container Security 2018 Report, professionals using container technologies are most concerned about misconfigurations and runtime security. Incidents of attacks and breaches based on exposed Kubernetes settings have made headlines and jangled nerves. Even though misconfigurations are seen as a primary vulnerability, respondents are also focused on runtime security, perhaps because running containers in production is still fairly new and no one wants to risk discovering unknown issues post deployment.

DevOps is increasingly positioned as responsible for operating container security solutions

In reaction to these anxieties, organizations are trying a "shift left" approach, looking to address security earlier in the software development cycle. As a result, DevOps is increasingly positioned as responsible for operating container security solutions. The CI/CD process components (e.g., build automation, developer tools) are closely linked to container security, which pushes security and DevOps teams to shift towards greater cooperation and collaboration with each other.

DevOps Alignment

To facilitate shrinking the gap between adoption rates and security maturity — and between traditional security and development silos — organizations should seek container security solutions that reflect the DevOps model, workflow, and processes. Avoiding the headlines that keep security leaders up at night requires solutions that address container and orchestrator misconfigurations and also deliver runtime security functions with adaptive detection to reduce false alerts.

DevOps teams want solutions with security controls that leverage cloud-native infrastructure. In other words, a solution that uses the network policy enforcement built into Kubernetes is preferable to one that creates a separate security layer. Portability across mixed environments (on-prem, hybrid, multi-cloud, managed) is important for similar reasons.

To better support container security, DevOps requires visibility and intelligence at the deployment level. If information is limited to the container-level perspective, staff don't have the big picture context to make decisions or garner insights. Risk mitigation information, including context about what needs to be addressed and why, should be provided directly to all appropriate DevOps teams.

The Ecosystem

Speaking of the bigger picture, as digital transformation accelerates across industries and containers come into wider use in critical production environments, security practices need to keep pace. Already, security teams are frequently caught unaware, surprised at how broadly containers are being used in their organization. While the mechanics need to be container-specific and tied to various build, deploy, and run stages, the core functionality should resemble best-in-class network and endpoint solutions: identify and manage assets; prioritize the riskiest elements; automatically harden the environment; and detect and block malicious actors.

Container security should reach way beyond what a bolt-on solution can touch. Kubernetes, the orchestrator chosen most for container deployments, is the core engine of effective container security. DevOps should help bridge the gap between adoption and security by focusing on Kubernetes protection and hardening. Teams that settle on Kubernetes, and then build tools and systems that rely on it, will solve a lot of the security risks going forward. As Kubernetes is increasingly crowned the OS of the cloud, many security challenges will be simplified.

Through the migration to the cloud, central IT has turned its focus to enabling applications instead of running infrastructure. Security is likewise shifting to enabling rather than operating security tools. As organizations become more focused on application development, DevOps will move toward center stage as the roles and responsibilities of the group expand. In containerized environments, the security team will define policies and put guardrails in place, but DevOps will operate the security tools tied to microservices and containerized applications.
The CISO will grow into a more strategic role, shaping policy and working to embed security functions and "shift left" even more.

Security Agility

The granularity of container technology presents new opportunities to optimize security resilience and agility. In cloud-native environments, the control layer and data plane are mixed together; DevOps can programmatically secure the application by writing in a layer of logic to maintain continuous and instantaneous enforcement. With monolithic applications, security gaps were often found only in production, when all dependencies were in full effect; with container security, they can be found much earlier. Moreover, security gaps can be addressed without breaking or refactoring the whole application.

Risk resilience, security agility, and granular control will be essential to achieving container excellence. Bringing in DevOps to take advantage of the security strengths of Kubernetes and cloud-native environments will help organizations keep pace with their own innovation and close security gaps and create a strong foundation for future opportunities, challenges, and growth.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

July 09, 2020

ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.

July 09, 2020

RunSafe Security announced a partnership with JFrog that will enable RunSafe to supercharge binary protections via a simple plugin that JFrog users can deploy within their Artifactory repositories and instantly protect binaries and containers.

July 09, 2020

LeanIX closed $80 million in Series D funding led by new investor Goldman Sachs Growth.

July 08, 2020

Afi.ai introduced Afi Data Platform, a cloud-based replication and resiliency service that helps to monitor, predict downtime and recover K8s applications.

July 08, 2020

D2iQ announced the release of Conductor, a new interactive learning platform that enables enterprises to access hands-on cloud native courses and training.

July 08, 2020

SUSE entered into a definitive agreement to acquire Rancher Labs.

July 07, 2020

Micro Focus announced AI-powered enhancements to the intelligent testing capabilities of the UFT Family, a unified set of solutions designed to reduce the overall complexity of automating the functional testing processes.

July 07, 2020

Push Technology announced the launch of a new Service API capability for Diffusion Cloud, Push’s Real-Time API Management Cloud Platform.

July 07, 2020

Lightrun exited stealth and announced $4M in seed funding for the first complete continuous debugging and observability platform for production applications.

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.

June 30, 2020

Couchbase announced the general availability of Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

June 30, 2020

Split Software announced new capabilities designed to accelerate the adoption of feature flags in large-scale organizations.

June 30, 2020

WhiteHat Security announced a discounted Web + Mobile Application Security bundle to help organizations secure the digital future.