The first steps to improving container security

Despite their popularity, containerization can be vulnerable to security flaws. How can organizations begin to mitigate them?
12 February 2019

Containers are still a popular choice in software development. Source: Shutterstock

Software containers saw rapid adoption in development circles some years ago, and they’re still enjoying a degree of that hype.

Since the likes of Docker made them accessible and enterprise-ready— not just the preserve of the development strategies of cloud giants Google and Uber, for example— businesses of all sizes have flocked to the technology. According to ESG Research, container-type technologies are on track to make up a third of hybrid cloud production workloads by 2020.

Put simply, a container is a standard unit of software that packages up code and all its dependencies— runtime, system tools, system libraries, and settings— so the application runs quickly, reliably and consistently from one computing environment to another, despite differences between development method and staging platform.

All containers are run by a single operating system kernel and are therefore more lightweight than virtual machines (VMs). Containers are created in ‘images’ that specify their precise contents, and are often formed by combining and modifying standard images and/or microservices downloaded from public repositories.

But as container technology continues to gather speed, and companies flock to the technology as a means of a lightweight and uniform development method, it may be that the level of simplicity and efficiency offered by containerization has not been matched by an adequate level of security.

In fact, ESG also found that more than a third (35 percent) of organizations state that current server security solutions do not support container functionality. Instead, separate technologies are required, which can be costly and complex to maintain.

At the same time, specialized tools are often required to verify that the contents of container registries meet their organization’s security and compliance requirements.

“Containers have almost become the ubiquitous method of packaging and deploying applications,” says Sathyajith Bhat, senior Dev Ops engineer at Adobe.

“While containers are perceived to be completely isolated and secure methods of running your application, the reality is that containers are not completely foolproof and are susceptible to many attack vectors.”

While there are plenty of new, fast-evolving container security upstarts emerging, the same research found 33 percent of companies cited a lack of mature solutions available. Meanwhile, the majority of IT security professionals claim they do not have the tools to monitor transient containers and microservices that could be susceptible to ‘in motion’ compromises.

Certain measures can be taken at build time such as the scaning of containers when a change is pushed, and possibly preventing their publishing on container registries, for example. Additionally building images in-house can mitigate threats like hidden cryptominers, but invariably there will be occasions when containers will have to be made secure very late in the development cycle.

According to Forrester, however, there are steps that should be taken in order to tighten existing container security. That includes adhering to “10 distinct controls”, including using trusted images, reducing clutter, signing images and verifying signatures, enforcing secrets management, segmenting the network, authenticating users, scanning for vulnerabilities, hardening the OS, governing operations, and implementing intrusion detection.

With that in mind, before companies “go shopping” for methods of making their container security more robust, Forrester suggests organizations should take stock of what they have, as developers may already have the tools at hand to cover off many of those 10 required controls.

After this review, companies should then review which of the various container security platforms are required to cover missing capabilities while minimizing the number of solutions they’re onboarding, and ensuring that all are compatible with the developer’s automation tools.

Companies will then have to determine container security platforms to cover any missing capabilities, and should avoid stitching together a variety of vendor solutions.