How Do Containerized Applications Stack Up Against Security? - Part 2
February 28, 2019

Taylor Armerding
Synopsys

To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. Given the risks listed in Part 1 of this blog, container security presents unique challenges. But the right tools, practices, and strategies can overcome them. As is the case with any security initiative, there is no silver bullet that will guarantee security of containerized applications, so organizations should use a combination of techniques and solutions suited to their IT governance requirements.

Start with How Do Containerized Applications Stack Up Against Security? - Part 1

Here are some common approaches, including their pros and cons:

Conduct manual reviews

According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it's experimenting with containers.

But it takes time to determine which processes and technologies are appropriate for a container environment, so the manual process works well only for small, proof-of-concept deployments. In short, it doesn't scale, which means it becomes ineffective as organizations move more of their container applications into production.

So, as NIST points out, it is important to have dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave security gaps.

Run containers on virtual machines

One of the multiple benefits of containers is that their runtimes can run anywhere, including within the technology they are disrupting: VMs. So some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications.

But while this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.

Container runtime security

Runtime security solutions are a good way to detect and block malicious activity in running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. Those models establish what activities are normal, so when something is abnormal — and possibly malicious — it is detected.

Container patch management

In contrast to runtime security, container patch management is proactive — it is a way to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.

As security experts have been saying for decades, you can't patch what you don't know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, it is critical to know the composition of an image. Considering that most container applications are Linux -based, an effective open source governance process is key to recognizing latent issues within images.

There is plenty of evidence for how crucial that is in the 2018 Synopsys Open Source Security and Risk Analysis report, which found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given those numbers, no organization can expect to track all its open source components and any associated vulnerabilities manually.

Beyond that, it's important to note that existing patch management strategies may increase risk when applied to containers. "Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale," Mackey said. "A far more effective model is to treat a patch like an application update and update the container image, which would then be deployed using an update strategy. The net result would be a more secure deployment paradigm."

The Bottom line

As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks — regardless of source.

Since no single tool will completely secure container clusters, organizations should look for container security solutions that are integrated with their chosen orchestration solution. This model benefits from defense-in-depth — using different techniques to address some of the risks posed by containerization.

Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. And vulnerability management solutions can help organizations proactively reduce risk, automatically identifying known vulnerabilities and removing them from their clusters, which will reduce potential attack vectors at scale.

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

April 08, 2020

JFrog is launching the FrogCare program for companies and organizations who are actively researching and fighting COVID-19.

April 08, 2020

Split Software announced a pre-built integration with mParticle, a customer data platform for enterprise B2C brands.

April 08, 2020

SmartBear announced the acquisition of Test Management for Jira (TM4J), an user-rated QA and test management app in Jira for enterprise teams, from London-based Adaptavist.

April 07, 2020

Docker has open sourced the Compose Specification into a standalone organization on GitHub with open governance.

April 07, 2020

AppGyver, a Finnish software company, is unveiling its new Composer Pro product to the public after four years of quiet development.

April 07, 2020

Red Hat named Paul Cormier as President and CEO of Red Hat.

April 06, 2020

Alcide announced that the Alcide Kubernetes Security Platform now supports HIPAA compliance scans.

April 06, 2020

Copado announced the immediate availability of free access to its platform for anyone working on applications to fight COVID-19.

April 06, 2020

JourneyApps will open its low-code app development platform at no charge to state governments, healthcare agencies and NGOs fighting the rapidly-spreading COVID-19 pandemic.

April 02, 2020

VMware announced the general availability of VMware vSphere 7, the biggest evolution of vSphere in over a decade.

April 02, 2020

Grafana Labs announced that Cortex v1.0 is generally available for production use.

April 02, 2020

IT Revolution announced new dates, extended pricing and its first round of confirmed speakers for DevOps Enterprise Summit Las Vegas 2020. Hosted at The Cosmopolitan of Las Vegas, DevOps Enterprise Summit will now take place November 9-11, 2020.

April 01, 2020

Compuware Corporation announced new capabilities that enable application development teams to automate performance tests early in the development lifecycle, helping large enterprises speed time to market and improve application performance—while decreasing the significant and unnecessary cost of wasted time.

April 01, 2020

PlanetScale released the newest version of PlanetScaleDB, a multi-cloud database.

April 01, 2020

Datawire announced the newest release of Ambassador Edge Stack that is designed to speed up the inner development loop.