close
close

Looking at Container Security Through the Lens of DevOps

Posted on by darion

Containerization has revolutionized application development, deployment, and management – ​​and for good reason. The ability to automatically package applications and their dependencies into a single, easy-to-deploy package helps developers focus on what they do best: writing code.

Widely recognized as a way to increase productivity and simplify the process, containerization is gaining popularity among organizations looking to streamline their software development and delivery practices. According to Forrester, 71% of DevOps teams use containers and microservices to deliver applications. These facts warrant a closer look at container security, with a focus on how DevOps can provide a solid framework for the entire software engineering and delivery workflow.

A well-rounded DevOps approach can mitigate the potential pitfalls of containerization, and organizations that implement containerization in DevOps can keep their data and systems secure in the face of increasingly common cyber threats.

The Interplay of DevOps and Container Security

The convergence of development and operations processes, commonly known as DevOps, emphasizes collaboration and automation as key elements of the software lifecycle.

With continuous delivery and high-quality software, organizations can bring new solutions and features to market faster, but the biggest dilemma is avoiding the trade-off between speed and security. Sysdig’s 2023 report shows that as many as 87% of container images running in production contain critical or high-severity vulnerabilities. With this in mind, the need to fill the gap comes to the fore.

Understanding Container Risk

As with any other type of deployment, containers are not immune to exploitation. While the very concept of containerization solves many security issues, it also introduces new vulnerabilities. These include:

  • Runtime Threats: A running container can compromise not only the container itself, but also the underlying host operating system.
  • Configuration errors: Misconfigurations can provide unauthorized access to containers and container orchestration platform data.
  • Image vulnerabilities: Software running in a container may contain vulnerabilities that allow an attacker to gain access first to the container and later even to the host itself.

Active safety

While container security tools help achieve this balance through image scanning, secrets management, runtime protection, and compliance, there is a more proactive approach. DevSecOps, an evolutionary, security-focused extension of DevOps, mitigates many security holes and misconfigurations early in development.

Both DevSecOps and DevOps ultimately aim to increase container security using the same principles and approaches:

  • Shifting security to the left: When security is considered and implemented from the first stages of a project, it does not become an afterthought, but an integral part of the development process itself. This helps detect and fix security issues early, meaning fewer of them end up in a production-ready deployment.
  • Automation: Automating software vulnerability checking, monitoring running containers, and enforcing project- and industry-relevant security practices can significantly reduce both developer workload and the risk of something malicious slipping past development or security teams.
  • Greater collaboration: By breaking down information barriers between different organizational units, you can increase the overall security of the software development process and create a culture of shared accountability.

Strategies for hardening container applications

While there are many steps to ensuring container security in a DevOps context, there are a few widely recognized best practices that all developers should include in their software development lifecycle.

The basic practice is to secure container runtime environments to the highest degree. Features like AppArmor and SELinux are subsystems (often called security modules) of the Linux kernel that can be used to limit what a containerized application can do at runtime, effectively unpluging from over-privileged execution and resulting exploitation scenarios.

Most software development isn’t done from scratch, but instead leverages a variety of existing code bases and libraries, all of which are potential attack vectors. Using verified software and container images for development reduces the risk of malicious code or vulnerabilities lurking in the final product. However, even official software can have vulnerabilities, so regular vulnerability scanning can help detect and fix issues before deployment.

Implementing the principle of least privilege is not only about the division between user accounts and administrative accounts, but also the actual processes and software running in the environment. As with user accounts, least privilege means ensuring that containers are run by non-root users whenever possible. This minimizes the damage an attacker could do once they gain a foothold in the container.

It is also difficult to overestimate the importance of actively monitoring and responding to security threats after implementation. Information systems do not exist in a vacuum, so ensuring they function properly and remain healthy is imperative to the performance of the overall environment. This can be achieved using a variety of monitoring and logging tools that collect and analyze container logs and metrics, making it easier to implement a response plan and quickly resolve issues as they arise in the environment.

DevOps is a step towards a secure container ecosystem

Security as an overarching concept is a complex set of ever-changing challenges. While containerization helps solve some problems at a fundamental level, it also introduces a range of new attack vectors.

Security must be integrated into the fabric of software development at early stages, and this is where DevOps comes into play. Organizations can gain many benefits from automation tools to significantly reduce the risks associated with deploying and running containers, but the responsibility to keep it this way throughout the software engineering lifecycle rests with developers.

Container security is not a plug-and-play feature, but rather an ongoing process that includes shift-left strategies in continuous development and integration, monitoring and regularly updating existing assets, and quickly responding to newly discovered threats. DevOps best practices can strengthen the security of your organization’s container environment, both on-premises and in the cloud.

About the author:

David Balaban is a cybersecurity analyst with twenty years of experience in malware research and antivirus software evaluation. David leads the Privacy-PC.com and MacSecurity.net projects, which present expert views on contemporary information security issues, including social engineering, malware, penetration testing, threat intelligence, online privacy and white hat hacking. David has a strong background in malware troubleshooting and has recently focused on ransomware remediation.

Editor’s Note: The views expressed in this guest article are solely the author’s and do not necessarily reflect the views of Tripwire.