Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast.
That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about container security that I would like to share with you.
Divide and Conquer: Images, Orchestration, Runtime
After introducing the audience to all of the security challenges and attack vectors for containers, she broke down a container security program into three sections:
- Securing container images
- Securing the orchestration plane
- Securing containers at runtime
Today, there’s no security vendor that helps with all three of these areas. Because Veracode focuses on application development security, we focus on securing container images, not the operational parts.
Inside the Sausage Factory: How the Docker Image is Made
A Docker container image is a lightweight, standalone, executable package of software that includes everything you need to run an application: code, runtime, system tools, system libraries and settings. Docker’s run utility is the command that actually launches a container. Each container is an instance of an image, and multiple container instances of the same image can be run simultaneously. Docker images are ephemeral: Container deployments are in constant flux. The average lifetime of a container is 30 minutes.
The Docker Hub registry is a repository for sharing container images from open source projects and from software vendors. These images are leveraged by developers – often introducing additional risk to the organization.
In her talk, Anna referenced a study of 3,802 official images on the Docker Hub that found a median of 127 vulnerabilities per image. Even more shocking: There were zero images that did not have any vulnerabilities.
Gartner’s Top Recommendations on Container Security
The talk closed with three recommendations:
- Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. Focusing solely on runtime controls – as you would for software installed VMs – will leave you vulnerable at many ends.
- Use secrets management and software component analysis as primary container protection strategies. Add Layer 7 network segmentation for operational containers that require defense in depth.
- Select vendors that can integrate with the container offerings of leading cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Veracode can help you with the first recommendation: Veracode Software Composition Analysis scans container images for vulnerabilities as part of your CI/CD pipeline to help you find vulnerabilities in the production image. If you’re interested in more information, read our blog post How Veracode Scans Docker Containers for Open Source Vulnerabilities.