Gartner recently included container security as one of its Top 10 Security Projects for 2019. However, container technology remains something of a mystery to many cybersecurity pros.
That unfamiliarity is complicated by a lack of adequate tools on this front: ESG data says that more than 30% of security pros indicate that their organization's current security solutions don't support containers and that most of the specialized tools available are immature offerings from startup companies.
Jay Chen, senior cloud vulnerability and exploit researcher at Unit 42 for Palo Alto Networks, said the finding was not surprising.
"Most security teams have only started to take notice of containers in the last year despite them being around for a long time. We hear about new container technologies and tools every few weeks, and a lot of them are still under development. Keeping up with all these new tools can be overwhelming and frustrating."
—Jay Chen
Here's what top security pros say about how the rapid rise of containers has complicated their jobs—and what steps you can take to improve your organization's container security.
A brave and befuddling new world
Container security is inherently complicated because it includes everything from static to dynamic to runtime security, said Jerry Gamblin, principal security engineer at Kenna Security.
When a container security program is built out, it typically ends up being a mirror of the network security model that most organizations have spent years putting together and fine tuning.
"Container security is in its infancy, and there aren't a lot of precedents yet on the 'right' way to do it, so there are a lot of different tools and approaches."
—Jerry Gamblin
Tim Hinrichs, co-founder and CTO of Styra explained that in the containerized/cloud-native/DevOps world, the new model of "everything as code" means that configuration and policy are dictated and automated by the environment and the workloads themselves. "They're not handled by some external box or service," he said.
Just as open source offers many solutions in this new environment—including the containers themselves, the management of those containers, and the automations required to keep things operational, testable, and monitored—security is seeing a strong open-source push also.
This allows development teams to implement quickly and achieve great point solutions right away. But because there's no procurement process and little overhead, dev teams can choose solutions without involving dedicated security teams, which usually results in a disconnect.
"The technology across the cloud-native stack is indeed new, which means legacy security tools from 'the approved vendor list' aren't often applicable.The new tools aren’t unproven; they just come from newer names in the security space. Many of these tools have been proven in production over years and in thousands of instances."
—Tim Hinrichs
The rub, he said, is that DevOps teams can and often do make choices more quickly and without necessarily involving multiple teams in IT—and that inherently brings risk.
Containers are not the problem; processes are
Although researchers have discovered a handful of security flaws in Docker and Kubernetes, Palo Alto Networks' Chen said the number of vulnerabilities found in them is still relatively low compared to other open-source projects.
"The majority of the container security incidents are due to configuration mistakes during deployment. Container orchestration platforms are complex and can be daunting to manage for some organizations."
—Jay Chen
With the layers of abstraction and integration built into many tools, it's easy to miss critical settings that put the entire platform at risk. Chen said his company's threat intelligence team recently discovery that deploying containers with default settings can leave them vulnerable to exploits and the leakage of sensitive data.
"Most container tools have built-in security features, but it’s up to the users to enforce these security functions consistently."
—Jay Chen
Styra's Hinrichs said the biggest challenge to container security wasn't posed by the technology or tooling, but rather by a lack of collaboration between development and security. DevOps is proven at this point and has accelerated application delivery in a very real and dramatic way, he said. Operations are automated and efficient in ways "we only dreamed of years ago."
But DevSecOps, while getting a lot of ink, isn't a mature process yet, he said.
"Lots of true security knowledge is still locked away in IT. Without the tooling and talent to bridge that into the modern development cycle, enterprises run the risk of exposure."
—Tim Hinrichs
Evaluating your container security
Ultimately, container security is no different from network security, Kenna Security's Gamblin said. And organizations frequently deal with the same challenge when it comes to both: The inability to gain a complete view of what is running and why.
Styra's Hinrichs suggests starting this process by asking a few insightful questions:
- What happens if a bad actor gets access to developer credentials?
- Where do my policies exist?
- Are they enforced by automation or by human best effort?
- Would we know if malicious code was running in our environment?
- How many ways can workloads talk to the Internet?
- Can I validate what is out of compliance?
- Can I stop noncompliant workloads from running?
Answering any of these questions can quickly highlight where risk is high or, conversely, prove where teams have strong control over their environments, Hinrichs said.
If your organization is just starting to use container technology, begin the security process by surveying the teams involved to see what security resources and guidelines they are referencing for their proposed projects, said Bob Peterson, CTO architect for Sungard Availability Services.
"If they are thinking about security before they start, there is a better chance of success. However, if there's a lack of any security references, that's a fairly good indicator that the organization may be facing an increased risk with the technology."
—Bob Peterson
And as daunting as tackling a new technology can be, remember that in the long run containers should help, not hinder, your security efforts.
More things can go wrong
Containers can provide a big security benefit, because compromised workloads are theoretically isolated and can often be destroyed and spun back up with little to no impact on production overall, Styra's Hinrichs said.
But since the containerized environment is more complex than yesterday’s monolithic app stack, there are far more places for security to go wrong or for policy to be lacking.
"Securing this new environment still has the same building blocks—network, storage, compute, etc., but deploying security policy in an ephemeral environment takes new technology and a new set of skills."
—Tim Hinrichs
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.