The complexities of developing secure software aren't lost on anyone in the business world. One tool development teams have used to adapt to today's challenging environment is software containers, which allow applications to run reliably on different platforms and systems.
Today, organizations use containers to address a wide range of development and testing tasks. What's more, as DevOps and other Agile initiatives have taken root, containers have become a crucial element in building a fast and flexible digital framework.
But software containers may lack the security required for today's complex development environments. We believe that an April 2017 Forrester report, Ten Basic Steps To Secure Software Containers, highlights that security must be at the center of any initiative involving containers, including the popular Docker platform.
While containers promote standardization, they also introduce significant risks. For example, in the report cited above, Forrester noted that in 2017, a newly identified Linux kernel vulnerability dubbed "dirty cow" had gone undiscovered for nine years. Suddenly, security leaders found themselves scrambling to patch systems and limit their risk exposure to this vulnerability.
In our view, the Forrester report suggests that a proactive approach to security offers clear benefits. It speeds processes by eliminating configuration differences and allows developers to work more efficiently across systems while maintaining essential controls. By using security controls that are unique to containers, security pros can better adapt application security to different architectures.
10 Steps to Success with Containers
The report from Forrester offers 10 ways to harden containers and protect an enterprise. Here is our take on these ten steps, along with our thoughts on what each of them imply:
Use private container repositories. Rely only on trusted public registries such as Docker Store or Red Hat's certified containers for certified containers. Create a companywide registry and use quality gates within an application lifecycle to limit code to trusted images.
Eliminate image clutter. Continuously monitor what's inside the containers. Use quality gates that are included in the software delivery lifecycle, and software composition analysis (SCA) tools or vulnerability scanners.
Mandate only signed images for shared repositories. Make sure that every container is signed to ensure that developed images match those that are tested and deployed. This practice is extremely important for public registries stored in the cloud.
Tap " secrets management " tools. Passwords, tokens and possibly multifactor authentication are valuable tools for protecting the most sensitive code and resources. Also, use encryption and specialized management tools to further protect access.
Create security layers between containers. Use network segmentation, including namespace permissions, to isolate access to filesystem, resources and processes. It's critical to place limitations on what each process can modify. Impose other network restrictions at the host and cluster level, and block containers from connecting to known bad IP addresses.
Govern privileged user authentication and authorization. Tap industry-standard identity management and governance controls to manage access and ensure that only those in administrative roles can alter or remove containers, change access rights and alter policies.
Scan for vulnerabilities. Tap SCA or vulnerability scanning tools to protect a production environment. Scanning should take place at various quality gates and occur after containers are completed.
Harden the OS. Because containers have complete access to the operating system, it's crucial to ensure the OS is fully protected. This means adopting automated patching processes and the use of Namespace Isolation.
Monitor container operations. Keeping track of the behavior of containers is paramount. This requires coordination among developers, operations, and security pros--with the latter taking the lead.
Use Intrusion detection tools. By identifying anomalous or risky container behavior, such as databases that have outbound network connections or containers touching outside applications, it's possible to spot potential vulnerabilities and keep an eye on any possible violations.
Containers are a powerful tool within production environments. While they offer enormous benefits, they also introduce risks. However, with a strategic approach it's possible to take software development to a new and more secure level.
Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He currently focuses on Developer Awareness through strategic content creation. In his spare time you'll find him doting over his lovely wife and daughter. He is a Co-Owner of CrossFit Amoskeag in Bedford NH, his favorite topic is artificial intelligence, and his favorite food is pepperoni pizza.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.