How Do Containerized Applications Stack Up Against Security? - Part 2
February 28, 2019

Taylor Armerding
Synopsys

To design an effective container security strategy, organizations first need to understand the risks that attackers could exploit to make them leak. Given the risks listed in Part 1 of this blog, container security presents unique challenges. But the right tools, practices, and strategies can overcome them. As is the case with any security initiative, there is no silver bullet that will guarantee security of containerized applications, so organizations should use a combination of techniques and solutions suited to their IT governance requirements.

Start with How Do Containerized Applications Stack Up Against Security? - Part 1

Here are some common approaches, including their pros and cons:

Conduct manual reviews

According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it's experimenting with containers.

But it takes time to determine which processes and technologies are appropriate for a container environment, so the manual process works well only for small, proof-of-concept deployments. In short, it doesn't scale, which means it becomes ineffective as organizations move more of their container applications into production.

So, as NIST points out, it is important to have dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave security gaps.

Run containers on virtual machines

One of the multiple benefits of containers is that their runtimes can run anywhere, including within the technology they are disrupting: VMs. So some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications.

But while this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.

Container runtime security

Runtime security solutions are a good way to detect and block malicious activity in running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. Those models establish what activities are normal, so when something is abnormal — and possibly malicious — it is detected.

Container patch management

In contrast to runtime security, container patch management is proactive — it is a way to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.

As security experts have been saying for decades, you can't patch what you don't know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, it is critical to know the composition of an image. Considering that most container applications are Linux -based, an effective open source governance process is key to recognizing latent issues within images.

There is plenty of evidence for how crucial that is in the 2018 Synopsys Open Source Security and Risk Analysis report, which found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given those numbers, no organization can expect to track all its open source components and any associated vulnerabilities manually.

Beyond that, it's important to note that existing patch management strategies may increase risk when applied to containers. "Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale," Mackey said. "A far more effective model is to treat a patch like an application update and update the container image, which would then be deployed using an update strategy. The net result would be a more secure deployment paradigm."

The Bottom line

As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks — regardless of source.

Since no single tool will completely secure container clusters, organizations should look for container security solutions that are integrated with their chosen orchestration solution. This model benefits from defense-in-depth — using different techniques to address some of the risks posed by containerization.

Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. And vulnerability management solutions can help organizations proactively reduce risk, automatically identifying known vulnerabilities and removing them from their clusters, which will reduce potential attack vectors at scale.

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.