How Do Containerized Applications Stack Up Against Security? - Part 2
February 28, 2019

Taylor Armerding
Synopsys

To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. Given the risks listed in Part 1 of this blog, container security presents unique challenges. But the right tools, practices, and strategies can overcome them. As is the case with any security initiative, there is no silver bullet that will guarantee security of containerized applications, so organizations should use a combination of techniques and solutions suited to their IT governance requirements.

Start with How Do Containerized Applications Stack Up Against Security? - Part 1

Here are some common approaches, including their pros and cons:

Conduct manual reviews

According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it's experimenting with containers.

But it takes time to determine which processes and technologies are appropriate for a container environment, so the manual process works well only for small, proof-of-concept deployments. In short, it doesn't scale, which means it becomes ineffective as organizations move more of their container applications into production.

So, as NIST points out, it is important to have dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave security gaps.

Run containers on virtual machines

One of the multiple benefits of containers is that their runtimes can run anywhere, including within the technology they are disrupting: VMs. So some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications.

But while this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.

Container runtime security

Runtime security solutions are a good way to detect and block malicious activity in running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. Those models establish what activities are normal, so when something is abnormal — and possibly malicious — it is detected.

Container patch management

In contrast to runtime security, container patch management is proactive — it is a way to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.

As security experts have been saying for decades, you can't patch what you don't know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, it is critical to know the composition of an image. Considering that most container applications are Linux -based, an effective open source governance process is key to recognizing latent issues within images.

There is plenty of evidence for how crucial that is in the 2018 Synopsys Open Source Security and Risk Analysis report, which found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given those numbers, no organization can expect to track all its open source components and any associated vulnerabilities manually.

Beyond that, it's important to note that existing patch management strategies may increase risk when applied to containers. "Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale," Mackey said. "A far more effective model is to treat a patch like an application update and update the container image, which would then be deployed using an update strategy. The net result would be a more secure deployment paradigm."

The Bottom line

As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks — regardless of source.

Since no single tool will completely secure container clusters, organizations should look for container security solutions that are integrated with their chosen orchestration solution. This model benefits from defense-in-depth — using different techniques to address some of the risks posed by containerization.

Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. And vulnerability management solutions can help organizations proactively reduce risk, automatically identifying known vulnerabilities and removing them from their clusters, which will reduce potential attack vectors at scale.

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

October 22, 2020

Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.

October 22, 2020

Harness announced two new modules: Continuous Integration Enterprise and Continuous Features.

October 22, 2020

Render announced automatic preview environments which are essential for rapid and collaborative development of modern applications.

October 21, 2020

Conducto is launching a toolkit for simplifying complex CI/CD and data science pipelines, having raised $3 million in seed funding led by Jump Capital.

October 21, 2020

Snyk Intel vulnerability database will be integrated into IBM Cloud security capabilities to enhance security for enterprise workloads.

October 21, 2020

Accurics announced $20 million across seed and series A financing raised in the past six months, with Intel Capital leading the Series A and ClearSky leading the seed.

October 20, 2020

Splunk announced the Splunk Observability Suite, the most comprehensive and powerful combination of monitoring, investigation, and troubleshooting solutions designed to help organizations become cloud-ready and accelerate their digital transformation.

October 20, 2020

Tricentis announced Vision AI, the core technology that will now power Tosca.

October 20, 2020

MuseDev has extended its code analysis platform to deliver bug reports via Github's code scanning UI.

October 20, 2020

Digital Shadows announced the ability to detect exposed access keys.

October 19, 2020

StackRox and Robin.io announced a new partnership bringing together Robin’s application-focused approach to Kubernetes data management with StackRox’s Kubernetes-native security and compliance capabilities.

October 19, 2020

PubNub announced new Chat UI Kits to streamline chat development.

October 19, 2020

Secure Code Warrior announced support for GitHub’s new code scanning functionality in conjunction with a new collaboration with Snyk.

October 15, 2020

Couchbase announced version 2.8 of Couchbase Lite and Couchbase Sync Gateway for mobile and edge computing applications.

October 15, 2020

Kong unveiled the private beta release of Kong Konnect, a full-stack platform for cloud native applications delivered as a service.