Adopting a More Secure Approach to Containers
Adopting a More Secure Approach to Containers
As more and more software is developed in containers, applying best practice security measures is a must. Read on to learn how your team can keep it's container safe.
Join the DZone community and get the full member experience.Join For Free
The complexities of developing secure software aren't lost on anyone in the business world. One tool development teams have used to adapt to today's challenging environment is software containers, which allow applications to run reliably on different platforms and systems.
Today, organizations use containers to address a wide range of development and testing tasks. What's more, as DevOps and other Agile initiatives have taken root, containers have become a crucial element in building a fast and flexible digital framework.
But software containers may lack the security required for today's complex development environments. We believe that an April 2017 Forrester report, Ten Basic Steps To Secure Software Containers, highlights that security must be at the center of any initiative involving containers, including the popular Docker platform.
While containers promote standardization, they also introduce significant risks. For example, in the report cited above, Forrester noted that in 2017, a newly identified Linux kernel vulnerability dubbed "dirty cow" had gone undiscovered for nine years. Suddenly, security leaders found themselves scrambling to patch systems and limit their risk exposure to this vulnerability.
In our view, the Forrester report suggests that a proactive approach to security offers clear benefits. It speeds processes by eliminating configuration differences and allows developers to work more efficiently across systems while maintaining essential controls. By using security controls that are unique to containers, security pros can better adapt application security to different architectures.
10 Steps to Success With Containers
The report from Forrester offers 10 ways to harden containers and protect an enterprise. Here is our take on these ten steps, along with our thoughts on what each of them implies:
- Use private container repositories. Rely only on trusted public registries such as Docker Store or Red Hat's certified containers for certified containers. Create a company-wide registry and use quality gates within an application lifecycle to limit code to trusted images.
- Eliminate image clutter. Continuously monitor what's inside the containers. Use quality gates that are included in the software delivery lifecycle, and software composition analysis (SCA) tools or vulnerability scanners.
- Mandate only signed images for shared repositories. Make sure that every container is signed to ensure that developed images match those that are tested and deployed. This practice is extremely important for public registries stored in the cloud.
- Tap "secrets management" tools. Passwords, tokens, and possibly multifactor authentication are valuable tools for protecting the most sensitive code and resources. Also, use encryption and specialized management tools to further protect access.
- Create security layers between containers. Use network segmentation, including namespace permissions, to isolate access to filesystems, resources, and processes. It's critical to place limitations on what each process can modify. Impose other network restrictions at the host and cluster level, and block containers from connecting to known bad IP addresses.
- Govern privileged user authentication and authorization. Tap industry-standard identity management and governance controls to manage access and ensure that only those in administrative roles can alter or remove containers, change access rights and alter policies.
- Scan for vulnerabilities. Tap SCA or vulnerability scanning tools to protect a production environment. Scanning should take place at various quality gates and occur after containers are completed.
- Harden the OS. Because containers have complete access to the operating system, it's crucial to ensure the OS is fully protected. This means adopting automated patching processes and the use of Namespace Isolation.
- Monitor container operations. Keeping track of the behavior of containers is paramount. This requires coordination among developers, operations, and security pros--with the latter taking the lead.
- Use Intrusion detection tools. By identifying anomalous or risky container behavior, such as databases that have outbound network connections or containers touching outside applications, it's possible to spot potential vulnerabilities and keep an eye on any possible violations.
Containers are a powerful tool within production environments. While they offer enormous benefits, they also introduce risks. However, with a strategic approach, it's possible to take software development to a new and more secure level.
Published at DZone with permission of Neil DuPaul , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.