webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
How Do Containerized Applications Stack Up Against Security? - Part 1
February 27, 2019
A good container has to do at least two things well: hold what it's supposed to hold, and not leak. That's true of digital containers that hold applications as well.
So if you're thinking of adopting a technology like containers, one obvious question ought to be: Does it mitigate or reduce security risks and leaks of an organization's data?
Containers are increasingly popular, for good reason. They offer multiple benefits, including portability, easy deployment, and consumption of fewer system resources. But they are also effectively a new layer in the application stack, which requires a new way of thinking about application security. In its Application Container Security Guide(link is external), NIST points out that as containers revolutionize application deployment, organizations must adapt their security strategies to new, dynamic production environments.
That's because containers and the applications they hold can be just as vulnerable to attacks as traditional applications. To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. If you don't know the risks, how can you avoid them? Here are a few:
Isolation
All isolations are not created equal. Container isolation differs significantly from virtual machine (VM) isolation. In VM systems, hypervisor isolation limits the ability of an attacker to move laterally within an application stack if an application is breached.
But containerized applications don't require hypervisors; they share elements of the host operating system's kernel. Some organizations worry, understandably, that if they deploy container-based applications, a breach could expose more of their sensitive data than it would if they used VMs (since different containers running on the same server could have access to different data).
Runtime complexities
The dynamic nature of containers introduces new runtime complexities that application deployment teams must understand and manage. Container orchestration systems like Kubernetes are designed to quickly provision replicated instances of a container image. Containerized applications consist of one or more container images coupled to form the functionality required by the application.
This leads to the topic of application scalability — a function of the quantity of specific container images deployed at any given point. When a new feature is ready for deployment, the application owner creates an update strategy to ensure any existing users of the application aren't affected by the update. This update strategy defines the percentage of images to roll forward with the update, as well as how a rollback might occur if errors are discovered.
Also, the dynamic nature of containerized deployments makes monitoring for malicious behavior or unauthorized access more difficult than in a traditional IT environment. Containerized applications often have different resource requests that are shared at the host server level.
To overcome that difficulty, IT operations and security teams should become partners with their development teams. Information sharing among them will help them understand expected behavior for the application.
Patch management
Most container applications are created from base images — essentially limited, lightweight operating systems. Application container images combine a base image with application-specific elements, such as frameworks, runtimes, and the applications themselves. Each element is a layer within the image. The contents of these layers can harbor software vulnerabilities, which makes them an attractive attack surface.
Consequently, traditional application security that focuses on testing the application is not enough. Security testing of containerized applications must also address vulnerabilities latent within the layers of the image. This is because, unless there are restrictions to the contrary, any executable element within a container image can be executed — even if it's not part of the application's requirements.
As Tim Mackey, technical evangelist at Synopsys, puts it, "Treat each container image as if it were a full operating system, and identify security issues as you would for any virtual machine or server. Remediation of those issues will need a different process, one that takes advantage of capabilities within containerized environments."
It's not enough simply to scan container images, given that some clusters exceed 10,000 images. Organizations must continue to monitor for newly discovered vulnerabilities in any layer — without degrading performance.
Read How Do Containerized Applications Stack Up Against Security? - Part 2
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
