Sam Bocetta describes the most common container security risks and explains the steps needed to minimize security breaches when building in containers.
The idea behind using containers for building applications is to optimize developer experience.
This gives users the flexibility to run applications in any computer hardware, cloud environment, or infrastructure. Hence, it isn't very surprising that Gartner found that more than 75% of global organizations will be running containerized applications in production come 2022.
This doesn’t fully mitigate cyber threats in the landscape, though. In fact, if you think that containers are somehow magically secure, you‘re making a mistake.
In this article, we’ll discuss some of the most common container security risks, along with steps to help you minimize security breaches when building in containers.
Common container security risks
There has been a conscious shift in the way businesses are operating lately.
Companies are swapping traditional application development methodologies in favor of the more agile DevOps-centric methodologies that prioritize continuous delivery and continuous deployment to show value. You have to realize that a container environment introduces a completely unique set of security challenges.
While maintaining online anonymity does help to an extent, it’s just the first step. Basic security measures, like use of strong passwords coupled with secure password management applications help a bit more. But things get a bit more complicated when you use containers to build applications from scratch or port your existing monolithic apps to a containerized environment.
Here are some of the most prevalent container security risks that you should be aware of:
Using privileged containers
For those of you who are not aware, running containers with the privileged flag lets it do anything a host can, which includes running all capabilities and gaining access to the host’s devices.
If an attacker is successful in breaching a container running with the privileges flag, it gets control over everything. Our recommendation would be using CAP ADD and CAP DROP, and avoid running containers that use the privileged flag.
Using insecure images
Developers use either a parent or a base image for building containers.
You see, images let developers reuse the different components of an image without having to build a container image from scratch. But just like code, using images or their dependencies increases the risk of several website vulnerabilities like malware infection and Man-in-the-Middle attacks.
The only way out here is to enforce strict vulnerability screening practices and image provenance policies.
Unrestricted communication between containers
Containers communicate with one another to achieve their goals.
It’s important to ensure that this communication is limited to only those containers that are absolutely essential. Not only will this help to minimize your attack surface, but it also reduces the risks of firewall breaches that are prevalent when you run multiple containers and microservices.
You can use container orchestration and management tools such as Kubernetes to implement network controls accurately.
Not isolating containers properly from the host
You might already be aware of how complicated container security can be. While it does offer certain security benefits due to its immutable nature, limited functionality, and short lifespan, it can also act as a vector for attacking the underlying host.
Many misconfigurations can put the underlying host at risk. You should refrain from sharing the host’s network namespace and as well as the process namespaces to avoid this situation.
Steps for minimizing risks when building containers
It’s no secret how mass homeworking has created more vulnerabilities for cyber-criminals to capitalize on the crisis. But you can reduce the risk factor when building containers through the following steps:
Step 1: Opting for a secure container host
Try to use container-focused operating systems. You can reduce the overall attack surface by removing inconsequential hosting services for maintaining container workloads.
Using monitoring tools to keep a check on your container hosts’ health is also helpful.
Several security controls work together to provide a complete solution for securing container host systems. Once you successfully safeguard your container workloads, its integrity will automatically be guaranteed.
Step 2: Working towards securing the networking environment
Using security controls like web filtering and intrusion prevention system (IPS) can stop undesirable attacks and filtering malicious content.
We would recommend deploying an IPS for monitoring into container traffic. Internal traffic monitoring can help block the efforts of hackers that have already established a hold in networks, allowing them to expand their reach by moving laterally.
Step 3: Taking steps to secure your management stack
The next step is to secure and monitor your container registry. Take advantage of features that can help enforce your organization's security and development standards, such as locking down the Kubernetes installation, using Pod and network policies, etc.
Several security tools that also can help scan and validate configurations for every container that is added to the container registry. This, in turn, will ascertain the deployment of only those containers that comply with your development and security standards.
Step 4: Using a secure foundation for building
Keep a constant eye on team communication regarding dependencies used in applications. You should quickly integrate any changes made to a piece of software into the application to reduce risks as well.
You should take the initiative to protect your containers against known vulnerabilities like malware to limit security holes in applications. There are several container image scanners that keep your secrets protected and will also sweep for custom indicators of compromise (IoCs).
This will help you mitigate risks before further development or deployment to production. In the end, you’ll have a smooth running app that gives users a totally hands-off experience when making stock investments, scoring leads, or even when they shop online.
Step 5: Focusing on the build pipeline
Using strong endpoint controls can detect threats and secure developer workstations by curtailing security challenges and container threats. Not only will doing this restrict visits to malicious websites but will also increase the possibilities of preventing malware.
Try to implement a thorough access control scheme. Make sure that only authorized users get access to code repositories, and can trigger builds and integrate branches that get pushed into production. Securing the integrity of servers that run these tools is also critical. Try to use tools that deliver a set of strong controls while simultaneously minimizing overheads.
Step 6: Optimally safeguard your application
It’s crucial to follow the best practices to improve code quality. Even the most basic mistakes or poor design choices can expose your system to cyber-attacks. Remember, the more time and effort you take to improve the quality of your code, the higher the security will be.
You can also use runtime self-protection controls to avoid issues in specific lines of code. Identifying security vulnerabilities will help close any gaps during root cause analysis that can help you design better security protocols.
The bottom line
The ongoing pandemic has forced businesses to adopt the new normal, having brought drastic and long-lasting changes in the past few months – companies using container technology being no different.
While this technology helps boost the speed and efficiency of overall development, it also creates a deluge of data from network monitoring and security notifications. Research firm BrainStation recently found 86% of companies have plans to train their DevOps teams in data science, in an effort to make sense of the data and better secure their networks.
You have to work on ramping up your container security by taking it seriously from the earliest possible stages of container design. After all, it’s the only way to protect your customers and the integrity of your business.
Sam Bocetta is a freelance journalist specializing in US diplomacy and national security, with emphasis on technology trends in cyber-warfare, cyber-defense, and cryptography.
Sam is a former security analyst for the US Department of Defense, having spent 30-plus years bolstering cyber defenses for the US Navy.