Container Security

A container is a package of software files that hold everything you need to run an application, including the application’s code, dependencies, runtime, library, and more.

Containers help transform operations from physical, single-tenant computing resources to a more efficient, virtual, multitenant infrastructure. The container framework, popularized by Docker, simplifies and accelerates application deployment by packaging operating system components, applications, and all dependencies into layers within what’s known as a container image. More simply, a container image is an unchangeable software package that contains everything an application needs in order to run.

Developers are increasingly using containers as they

• Better align with today’s cloud-native application development approach
• Ensure that applications run the same way regardless of the environment they're running in
• Enable a microservice approach, which makes rapid app development and deployment more feasible

Container security is important for the same reasons all application security is important: Without a comprehensive strategy and tooling in place to secure your containers, you risk exposing your customers’ sensitive data and negatively impacting your business.

Traditional AppSec tooling is not sufficient for securing containers, so container-specific security solutions and strategies are crucial.

In Gartner’s recent “Innovation Insight for Cloud-Native Application Protection Platforms” report, it confirmed this challenge: “The unique characteristics of cloud-native applications make them impossible to secure without a complex set of overlapping tools spanning development and production including […] containers.”

Securing images is difficult, as each layer in a container image is an attack surface that can harbor software vulnerabilities.

Most images are built on third-party code, which makes the presence of third-party vulnerabilities likely. Relying on third parties makes it very challenging to gain control of upstream risk. Security efforts should therefore focus on the source of the images, scanning for vulnerabilities that might made their way in from upstream projects.

Additional concerns include

• Image squatting, in which bad actors target public registries by uploading malicious images with names nearly identical to original images, allowing them to gain entry to users’ containers
• Container images are enormous, so it’s very difficult to complete thorough vulnerability scanning and configuration efforts
• Shaky control measures, including a lack of clear processes around how images are modified and verified as authentic, and how lists of approved container registries are created and maintained

While traditional AppSec tools like SCA can scan base container images for known vulnerabilities, additional dependencies can be introduced at build or even runtime. Therefore, additional methods to analyze images later in the development life cycle are required for a complete picture of risk.

Containers are still relatively new to the software development world, so there is still a lack of expertise in how to build secure containers.

The lack of expertise has led to a lack of governance, which has led to teams skipping formal security reviews. For example, some teams may not subject container images to the same level of scrutiny that they do for regular open source components, leaving huge security gaps.

One of the huge draws of containerization is using it to scale up deployment. However, the scale of containers being deployed on a regular basis can be overwhelming and difficult to keep up with, even with scanning technologies in place.

This complex environment requires specific and targeted security efforts.  

Black Duck® SCA solution helps you secure and manage open source risks in applications and containers. Black Duck®

• Scans container images for open source components and surfaces vulnerabilities
• Integrates with binary and container repositories to help act as a gatekeeper for allowed and forbidden images
• Uses binary analysis to analyze containers after they're built to identify dependencies (and thus vulnerabilities), even those introduced during the build, as well as any sensitive information left exposed