How Do Containerized Applications Stack Up Against Security? - Part 2
February 28, 2019

Taylor Armerding
Synopsys

To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. Given the risks listed in Part 1 of this blog, container security presents unique challenges. But the right tools, practices, and strategies can overcome them. As is the case with any security initiative, there is no silver bullet that will guarantee security of containerized applications, so organizations should use a combination of techniques and solutions suited to their IT governance requirements.

Start with How Do Containerized Applications Stack Up Against Security? - Part 1

Here are some common approaches, including their pros and cons:

Conduct manual reviews

According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it's experimenting with containers.

But it takes time to determine which processes and technologies are appropriate for a container environment, so the manual process works well only for small, proof-of-concept deployments. In short, it doesn't scale, which means it becomes ineffective as organizations move more of their container applications into production.

So, as NIST points out, it is important to have dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave security gaps.

Run containers on virtual machines

One of the multiple benefits of containers is that their runtimes can run anywhere, including within the technology they are disrupting: VMs. So some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications.

But while this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.

Container runtime security

Runtime security solutions are a good way to detect and block malicious activity in running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. Those models establish what activities are normal, so when something is abnormal — and possibly malicious — it is detected.

Container patch management

In contrast to runtime security, container patch management is proactive — it is a way to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.

As security experts have been saying for decades, you can't patch what you don't know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, it is critical to know the composition of an image. Considering that most container applications are Linux -based, an effective open source governance process is key to recognizing latent issues within images.

There is plenty of evidence for how crucial that is in the 2018 Synopsys Open Source Security and Risk Analysis report, which found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given those numbers, no organization can expect to track all its open source components and any associated vulnerabilities manually.

Beyond that, it's important to note that existing patch management strategies may increase risk when applied to containers. "Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale," Mackey said. "A far more effective model is to treat a patch like an application update and update the container image, which would then be deployed using an update strategy. The net result would be a more secure deployment paradigm."

The Bottom line

As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks — regardless of source.

Since no single tool will completely secure container clusters, organizations should look for container security solutions that are integrated with their chosen orchestration solution. This model benefits from defense-in-depth — using different techniques to address some of the risks posed by containerization.

Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. And vulnerability management solutions can help organizations proactively reduce risk, automatically identifying known vulnerabilities and removing them from their clusters, which will reduce potential attack vectors at scale.

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

September 16, 2019

Oracle announced the general availability of Java SE 13 (JDK 13).

September 16, 2019

Data Intensity launched its Automation-as-a-Service offering.

September 16, 2019

Mobile Labs launched the final addition to its mobile device cloud suite: GigaFox Red and GigaFox Silver.

September 12, 2019

Rafay Systems announced the general availability of its turnkey, SaaS-based offering designed to confront a complex set of ongoing challenges enterprises and service providers face when modernizing their applications.

September 12, 2019

StackRox announced the availability of the StackRox App for the Sumo Logic Continuous Intelligence Platform.

September 12, 2019

Lacework is receiving $42 million from Sutter Hill Ventures and Liberty Global Ventures.

September 11, 2019

Clubhouse released a fully featured Free Plan that offers the full power of its flagship product to teams up to 10 people.

September 11, 2019

Sectigo released integrations with five of the most popular DevOps configuration management and container orchestration platforms.

September 11, 2019

Kong announced the release of a new open source project called Kuma.

September 10, 2019

Parasoft is excited to announce that Parasoft SOAtest, an API and UI functional testing solution, has won a 2019 API Award in the Best in Microservices Infrastructure category.

September 10, 2019

Cohesity announced the launch of Cohesity Agile Dev and Test, a new solution that addresses a key bottleneck organizations face in building applications at speed.

September 10, 2019

Split Software announced the addition of Feature Monitoring, an automated detection capability for its feature delivery platform that reduces detection times of errors in a code release.

September 09, 2019

US Signal announced the launch of its managed Website and Application Security Solution.

September 09, 2019

Tasktop announced that Jama Software is now offering the cloud version of its Tasktop Integration Hub for Jama Connect to automate and visualize the flow of product-critical information across the software delivery value stream.

September 09, 2019

Mesosphere announced a significant expansion in strategy and product portfolio as well as a new company name - D2iQ.