How Do Containerized Applications Stack Up Against Security? - Part 1
February 27, 2019

Taylor Armerding
Synopsys

A good container has to do at least two things well: hold what it's supposed to hold, and not leak. That's true of digital containers that hold applications as well.

So if you're thinking of adopting a technology like containers, one obvious question ought to be: Does it mitigate or reduce security risks and leaks of an organization's data?

Containers are increasingly popular, for good reason. They offer multiple benefits, including portability, easy deployment, and consumption of fewer system resources. But they are also effectively a new layer in the application stack, which requires a new way of thinking about application security. In its Application Container Security Guide, NIST points out that as containers revolutionize application deployment, organizations must adapt their security strategies to new, dynamic production environments.

That's because containers and the applications they hold can be just as vulnerable to attacks as traditional applications. To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. If you don't know the risks, how can you avoid them? Here are a few:

Isolation

All isolations are not created equal. Container isolation differs significantly from virtual machine (VM) isolation. In VM systems, hypervisor isolation limits the ability of an attacker to move laterally within an application stack if an application is breached.

But containerized applications don't require hypervisors; they share elements of the host operating system's kernel. Some organizations worry, understandably, that if they deploy container-based applications, a breach could expose more of their sensitive data than it would if they used VMs (since different containers running on the same server could have access to different data).

Runtime complexities

The dynamic nature of containers introduces new runtime complexities that application deployment teams must understand and manage. Container orchestration systems like Kubernetes are designed to quickly provision replicated instances of a container image. Containerized applications consist of one or more container images coupled to form the functionality required by the application.

This leads to the topic of application scalability — a function of the quantity of specific container images deployed at any given point. When a new feature is ready for deployment, the application owner creates an update strategy to ensure any existing users of the application aren't affected by the update. This update strategy defines the percentage of images to roll forward with the update, as well as how a rollback might occur if errors are discovered.

Also, the dynamic nature of containerized deployments makes monitoring for malicious behavior or unauthorized access more difficult than in a traditional IT environment. Containerized applications often have different resource requests that are shared at the host server level.

To overcome that difficulty, IT operations and security teams should become partners with their development teams. Information sharing among them will help them understand expected behavior for the application.

Patch management

Most container applications are created from base images — essentially limited, lightweight operating systems. Application container images combine a base image with application-specific elements, such as frameworks, runtimes, and the applications themselves. Each element is a layer within the image. The contents of these layers can harbor software vulnerabilities, which makes them an attractive attack surface.

Consequently, traditional application security that focuses on testing the application is not enough. Security testing of containerized applications must also address vulnerabilities latent within the layers of the image. This is because, unless there are restrictions to the contrary, any executable element within a container image can be executed — even if it's not part of the application's requirements.

As Tim Mackey, technical evangelist at Synopsys, puts it, "Treat each container image as if it were a full operating system, and identify security issues as you would for any virtual machine or server. Remediation of those issues will need a different process, one that takes advantage of capabilities within containerized environments."

It's not enough simply to scan container images, given that some clusters exceed 10,000 images. Organizations must continue to monitor for newly discovered vulnerabilities in any layer — without degrading performance.

Read How Do Containerized Applications Stack Up Against Security? - Part 2

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

September 16, 2019

Oracle announced the general availability of Java SE 13 (JDK 13).

September 16, 2019

Data Intensity launched its Automation-as-a-Service offering.

September 16, 2019

Mobile Labs launched the final addition to its mobile device cloud suite: GigaFox Red and GigaFox Silver.

September 12, 2019

Rafay Systems announced the general availability of its turnkey, SaaS-based offering designed to confront a complex set of ongoing challenges enterprises and service providers face when modernizing their applications.

September 12, 2019

StackRox announced the availability of the StackRox App for the Sumo Logic Continuous Intelligence Platform.

September 12, 2019

Lacework is receiving $42 million from Sutter Hill Ventures and Liberty Global Ventures.

September 11, 2019

Clubhouse released a fully featured Free Plan that offers the full power of its flagship product to teams up to 10 people.

September 11, 2019

Sectigo released integrations with five of the most popular DevOps configuration management and container orchestration platforms.

September 11, 2019

Kong announced the release of a new open source project called Kuma.

September 10, 2019

Parasoft is excited to announce that Parasoft SOAtest, an API and UI functional testing solution, has won a 2019 API Award in the Best in Microservices Infrastructure category.

September 10, 2019

Cohesity announced the launch of Cohesity Agile Dev and Test, a new solution that addresses a key bottleneck organizations face in building applications at speed.

September 10, 2019

Split Software announced the addition of Feature Monitoring, an automated detection capability for its feature delivery platform that reduces detection times of errors in a code release.

September 09, 2019

US Signal announced the launch of its managed Website and Application Security Solution.

September 09, 2019

Tasktop announced that Jama Software is now offering the cloud version of its Tasktop Integration Hub for Jama Connect to automate and visualize the flow of product-critical information across the software delivery value stream.

September 09, 2019

Mesosphere announced a significant expansion in strategy and product portfolio as well as a new company name - D2iQ.