Check Point® Software Technologies Ltd.(link is external) announced that U.S. News & World Report has named the company among its 2025-2026 list of Best Companies to Work For(link is external).
How Do Containerized Applications Stack Up Against Security? - Part 2
February 28, 2019
To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. Given the risks listed in Part 1 of this blog, container security presents unique challenges. But the right tools, practices, and strategies can overcome them. As is the case with any security initiative, there is no silver bullet that will guarantee security of containerized applications, so organizations should use a combination of techniques and solutions suited to their IT governance requirements.
Start with How Do Containerized Applications Stack Up Against Security? - Part 1
Here are some common approaches, including their pros and cons:
Conduct manual reviews
According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it's experimenting with containers.
But it takes time to determine which processes and technologies are appropriate for a container environment, so the manual process works well only for small, proof-of-concept deployments. In short, it doesn't scale, which means it becomes ineffective as organizations move more of their container applications into production.
So, as NIST(link is external) points out, it is important to have dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave security gaps.
Run containers on virtual machines
One of the multiple benefits of containers is that their runtimes can run anywhere, including within the technology they are disrupting: VMs. So some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications.
But while this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.
Container runtime security
Runtime security solutions are a good way to detect and block malicious activity in running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. Those models establish what activities are normal, so when something is abnormal — and possibly malicious — it is detected.
Container patch management
In contrast to runtime security, container patch management is proactive — it is a way to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.
As security experts have been saying for decades, you can't patch what you don't know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, it is critical to know the composition of an image. Considering that most container applications are Linux -based, an effective open source governance process is key to recognizing latent issues within images.
There is plenty of evidence for how crucial that is in the 2018 Synopsys Open Source Security and Risk Analysis report, which found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given those numbers, no organization can expect to track all its open source components and any associated vulnerabilities manually.
Beyond that, it's important to note that existing patch management strategies may increase risk when applied to containers. "Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale," Mackey said. "A far more effective model is to treat a patch like an application update and update the container image, which would then be deployed using an update strategy. The net result would be a more secure deployment paradigm."
The Bottom line
As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks — regardless of source.
Since no single tool will completely secure container clusters, organizations should look for container security solutions that are integrated with their chosen orchestration solution. This model benefits from defense-in-depth — using different techniques to address some of the risks posed by containerization.
Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. And vulnerability management solutions can help organizations proactively reduce risk, automatically identifying known vulnerabilities and removing them from their clusters, which will reduce potential attack vectors at scale.
Industry News
June 05, 2025
June 05, 2025
Postman announced new capabilities that make it dramatically easier to design, test, deploy, and monitor AI agents and the APIs they rely on.
June 05, 2025
Opsera announced the expansion of its partnership with Databricks.
June 04, 2025
Postman announced Agent Mode, an AI-native assistant that delivers real productivity gains across the entire API lifecycle.
June 04, 2025
Progress Software announced the Q2 2025 release of Progress® Telerik® and Progress® Kendo UI®, the .NET and JavaScript UI libraries for modern application development.
June 04, 2025
Voltage Park announced the launch of its managed Kubernetes service.
June 04, 2025
Cobalt announced a set of powerful product enhancements within the Cobalt Offensive Security Platform aimed at helping customers scale security testing with greater clarity, automation, and control.
June 03, 2025
LambdaTest announced its partnership with Assembla, a cloud-based platform for version control and project management.
June 03, 2025
Salt Security unveiled Salt Illuminate, a platform that redefines how organizations adopt API security.
June 03, 2025
Workday announced a new unified, AI developer toolset to bring the power of Workday Illuminate directly into the hands of customer and partner developers, enabling them to easily customize and connect AI apps and agents on the Workday platform.
June 02, 2025
Pegasystems introduced Pega Agentic Process Fabric™, a service that orchestrates all AI agents and systems across an open agentic network for more reliable and accurate automation.
June 02, 2025
Fivetran announced that its Connector SDK now supports custom connectors for any data source.
June 02, 2025
Copado announced that Copado Robotic Testing is available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).
May 29, 2025
Check Point® Software Technologies Ltd.(link is external) announced major advancements to its family of Quantum Force Security Gateways(link is external).
May 29, 2025
Sauce Labs announced the general availability of iOS 18 testing on its Virtual Device Cloud (VDC).
