3 Steps to Building Container Security
July 5, 2016 No CommentsFeatured article by Randy Kilmon, Vice President of Engineering, Black Duck Software
Containers are one of the hottest areas in IT. The use of containers in production environments has skyrocketed, and container technology is poised to become the dominant architecture for application development and deployment in the very near future. A new report from the Cloud Foundry Foundation shows that while 16 percent of the 700+ companies surveyed are already using containers in production, that figure is expected to grow to a staggering 64 percent moving into production by 2017. Another survey of global IT professionals commissioned by Red Hat through TechValidate backs those figures, with 67 percent of respondents planning production roll-outs over the next two years.
Survey after survey demonstrates that enterprises are eager to embrace container technology because of its economic and productivity benefits. But those same surveys also reveal many enterprises still remain hesitant to adopt containers because security remains a question. Businesses may want the agility of containers but won’t risk their mission-critical systems and applications unless they have reasonable assurance that containers and their components are secure. That only makes sense. Who wants to be the next company on the nightly news headlined as the latest victim of a serious security breach?
Container providers such as Docker and Red Hat are aggressively moving towards reassuring the marketplace about container security. Indeed, just a few days ago, Red Hat launched a new container scanning interface to enable security platforms such as the Black Duck Hub and the OpenSCAP scanner to easily plug into the Red Hat OpenShift Container Platform to enable users to more easily see what’s running inside their containers and whether the latest security updates have been applied.
Steps to Container Security
Three major steps concerning container security that need to be addressed are:
1. Certification and Provenance – You must ensure that all application code within the container originated with a known and trusted publisher.
2. Vulnerabilities – You must verify that the container’s contents won’t introduce serious vulnerabilities.
3. Management throughout the Application Lifecycle – You must establish a security management process across the entire lifecycle of a containerized application, from development to deployment.
Whether building applications for containers or traditional deployment, it’s critical to use security testing tools to gain visibility into and identify vulnerabilities in your code. Equally important is the need to understand the components (including open source) in the applications, and any risk that may be introduced by those components. Without that visibility, organizations risk exposing their containerized applications to attack.
“Doveryai, no proveryai” (Trust, but verify)
Doveryai, no proveryai (“Trust, but verify”) is an old Russian proverb that President Ronald Reagan used during arms control negotiations with the Soviet Union, and equally relevant to container technology today. Past scans of popular repositories have shown images contain unpatched open source vulnerabilities, demonstrating the need to establish the precise contents of any image you pull out of a repository. As Red Hat notes in its Container Security Guide, to trust any image from the cloud you need some sort of provenance, which can be signified by a signature over the image identifying its source.
While establishing provenance is important, it’s definitely not enough. Even signed images from trusted sources can contain undiscovered security vulnerabilities which may be exploited later. While you might have trusted a container image when it was first produced, that same container and its contents can become dicey over time. New vulnerabilities are identified daily, and your container image is only as secure as the code and dependencies it contains. Continuous and real-time monitoring for vulnerabilities, mapped to a known vulnerability database, is a paramount requirement.
Summing Up
To fully benefit from containers, employing tools to ensure the security and integrity of container deployments is essential. Applications deployed via container platforms must be certified prior to deployment to ensure that the code they contain originated with a known and trusted publisher. But merely verifying the provenance of containerized application code is not enough. Security issues such as exploitable vulnerabilities in application components require a process in place to assess the security of your containerized applications throughout their full lifecycle.
The potential of containers is significant, but will only be fully realized if container security – understanding what’s inside the container, and being able to detect and address vulnerabilities – is addressed.
Featured article by Randy Kilmon, Vice President of Engineering, Black Duck Software