DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Join us tomorrow at 1 PM EST: "3-Step Approach to Comprehensive Runtime Application Security"
Save your seat
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. DevSecOps: Slaying the Myths of Container Security

DevSecOps: Slaying the Myths of Container Security

How do containers both introduce and solve common security challenges? Containers are a net benefit for security-minded organizations.

Benjamin Wootton user avatar by
Benjamin Wootton
·
Mar. 23, 17 · Opinion
Like (1)
Save
Tweet
Share
3.52K Views

Join the DZone community and get the full member experience.

Join For Free

containers are clearly appealing for companies and development teams who want to deliver and iterate on their software faster and efficiently. this is achieved through more consistent, simple, and repeatable deployments, rapid rollback, and simpler ways of orchestrating and scaling distributed applications.

the survey shows, however, that security is very relevant to organizations that are looking to deploy containerized applications. though the question referred to concerns, we believe that security is relevant to containerization in both in the positive and negative senses. how do containers both introduce and solve common security challenges?

bw1.jpg

slaying the myths

there are a lot of myths about container security.  though there have been demonstrated exploits of people, for instance, breaking out of containers or attacking container daemons in various ways, we believe that when you consider both sides as above, containers are a net benefit for security-minded organizations. in principle, containerized applications give us tens of different ways of introducing new security approaches that reduce attack vectors and minimize attack surface areas.

what organizations do need is a lot of education — first, to put some of the myths to bed, and then to educate on how to achieve container security in an optimal way.

achieving container security

there are many approaches that teams can bring to the table to maximize security in a containerised environment.

least privilege

by default, containers add layers of protection and sandboxing around a process. these protections ensure that processes are not allowed to interact with other processes, or the underlying host operating system in any way other than that explicitly allowed. by default, container platforms are locked down, but there can be additional restrictions applied at the time that you start the daemon or container.

reducing attack surface

both containers and other pieces of the platform such as the daemon or orchestrator should also be configured with the minimal possible scope for attack.

container registry

companies want to ensure that rogue, untested, or unlicensed software is not entering the organization. to achieve this, companies will deploy an enterprise private registry as a central store of containers. these containers can then be validated, scanned, and configured with the proper access controls to ensure a single source of the truth.

container signing

container orchestration platforms will integrate container signing mechanisms to ensure that we are only running trusted code inside the organization's boundaries.

should the 88% be concerned?

the survey shows that 88% of people have some degree of concern around security of containers. hopefully, this short article has made the case that there are many myths leading to these concerns, and many options in how you deploy your container platform for adding security into your environment.

this blog is one of seven in a series providing expert commentary and analysis on the results from sonatype’s 2017 devsecops community survey. for access to all of the blogs in this series and the survey report, see here . benjamin wootton ( @benjaminwootton ) is the co-founder and cto of contino and is a guest blogger for sonatype's 2017 devsecops community survey.

Container security

Published at DZone with permission of Benjamin Wootton, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Create a Real-Time Scalable Streaming App Using Apache NiFi, Apache Pulsar, and Apache Flink SQL
  • How Observability Is Redefining Developer Roles
  • A Brief Overview of the Spring Cloud Framework
  • 7 Awesome Libraries for Java Unit and Integration Testing

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: