As cloud-native applications continue to proliferate, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they offer. In fact, Gartner predicts that 75% of global organizations are running containerized applications in production.
The popularity of containers has also attracted hackers looking for new ways to exploit applications. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive security approach is essential to mitigate the risk to containerized applications and infrastructure.
Physical containers, originally created to ease the transportation of goods and materials on cargo ships, developed a standardized way of packing things. Whether a sports car from Italy or coffee from South Africa, they were packed and shipped the same exact way. The simplification this provided sparked an explosion in international trade and economic growth.
Likewise, a century later, when Docker engineers produced container technology for software applications, they did it for the sake of simplifying the shipping of software from the developer’s laptop to the production environment. Containers package everything an application needs to run, including libraries and system tools, into a single image that can be deployed across multiple environments—just like physical containers that are easily loaded by cranes and forklifts onto cargo ships, planes, and trains.
But this technology existed previously in the form of virtual machines. So why not stick with those? Why containers?
Containers are built as a packing tool. You can take an application and all its dependencies and put them in a container, drop it onto any system, and let it run, and it will work exactly as expected. A virtual machine, on the other hand, is a full guest operating system. It layers the application and its dependencies onto that operating system, which brings significant overhead due to hardware virtualization and other factors.
Orchestration allows organizations to automate and simplify the configuring, managing, and deploying of large-scale container environments. Orchestration platforms such as Kubernetes have become the de facto standard for managing containerized applications at scale.
Many organizations have false assumptions about the security of orchestration platforms, and those assumptions can put their applications at risk. Even with third-party orchestration service providers such as Google GKE, the shared nature of the hosting responsibilities can make it difficult to understand who is responsible for securing what.
Any container security and orchestration program must take into account the security and risks of the creation and contents of the containers themselves. There are several container security best practices and criteria by which to analyze the program, including the foundational elements of host security, the platform security elements, and the elements of the container and orchestrator itself.
When addressing the security of containers and container orchestration, it’s important to take a holistic approach that encompasses the architecture, deployment, and production of your applications.
Security considerations should include
Attack scenarios to consider should include
To track and organize these scenarios, it’s beneficial to create an attack matrix. The Kubernetes attack matrix, for example, includes factors such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and impact.
The most common container vulnerabilities that Black Duck has encountered in our assessments are
You can learn more about these vulnerabilities and container security essentials in our webinar on-demand.
Implementing a strong container security program in your company is no easy task. You can learn more about container security best practices in our on demand webinars: Container Security Essentials, and Finding Your Way in Container Security.
Whether you’re just starting to leverage security containers or have been using them for years, creating a robust and secure container security program requires an understanding of the key features. This white paper offers a blueprint for which elements encompass secure containers and help you move your organization forward in your container security journey.