Container Security

How to secure software containers and infrastructure as code (IaC)

Adoption of software containers and infrastructure as code (IaC) has risen dramatically as more organizations realize the benefits of this virtualized technology. Software containers are lightweight, standalone, executable packages of software that include everything required to run the app, service, or microservice. Containers include code, runtime, settings, system libraries and system tools, and they can be used with both Linux and Windows-based applications. By isolating software from its surroundings, software containers enable code to always run the same regardless of the environment it is operating within.

Containers blur the line between application and infrastructure. Containers are created from a configuration file such as a Dockerfile and include packages that need to be configured to meet the need of cloud infrastructure. If controls are not properly configured, containers will be at risk of a security breach.

For all their value, software containers can also introduce significant risk. Lack of visibility into containers and their infrastructure means security teams are often unable to discern whether there are any issues within the code. And containers are rarely scanned for vulnerabilities before or after being deployed to production.

There are several steps that developers can take to help secure software containers, including enforcing the use of trusted container image repositories, running containers as a non-root user, and making sure images are patched. Scanning software containers for vulnerabilities and misconfigurations is also critical – and that’s where Veracode can help.

Container and infrastructure as code (IaC) security testing with Veracode

Veracode provides application security testing solutions that help protect the software that businesses rely on. Our suite of on-demand, SaaS-based testing services enable security analysis and testing to be embedded throughout the software development lifecycle (SDLC), allowing developers to test for vulnerabilities from inception through production.

Veracode Software Composition Analysis scans Docker containers and images to find vulnerabilities associated with open-source libraries as dependencies of the base OS image and globally installed packages.

Another tool is Veracode Container Security. This solution integrates into the developers’ pipeline with ease and empowers teams to scan containers and IaC files early in the development process.  Prioritized and contextual results help developers fix vulnerabilities and misconfigurations fast and cutting-edge SBOM technology makes it possible to meet regulatory standards, deliver security assurance and strengthen the security of the software supply chain. 

Securing containers from open source vulnerabilities isn’t all that different than looking at vulnerabilities in open-source libraries in code. Developers need to be able to scan containers the moment they are introduced, with all of its globally installed packages. This enables development teams to decide whether to proceed forward with the vulnerabilities present, introduce ways to mitigate the issues, update to a more secure version of the libraries being used, or explore alternative base images and libraries that are more secure. 

Comprehensive solutions for container security software and other applications

Additional Veracode software testing services include:

• Veracode Static Analysis IDE Scan, a solution that runs in the background of a developer’s IDE to provide immediate alerts and feedback about potential flaws as code is being written.
• Veracode Dynamic Analysis, a web application scanner service that inventories all public-facing web applications and performs both lightweight, production-safe scans and deep scans to identify potential vulnerabilities.
• Veracode Static Analysis is an easy-to-use testing methodology that lets developers quickly scan web, mobile and desktop applications. With Veracode Static Analysis, developers can quickly identify and remediate vulnerabilities like cross-site scripting and SQL insertion without having to manage a tool. Our patented technology scans binaries, eliminating the need for access to source code. Results are provided within four hours for 80% of scans, and 90% of scans are completed within a day. With highly accurate results that are prioritized based on severity and include a step-by-step remediation plan, developers can fix flaws faster while avoiding wasting time on false positives.