The use of containers is growing rapidly and for good reason. Compared to traditional, monolithic applications, containers offer many great benefits: faster delivery, elasticity, portability—the list goes on. In a recent press release, Gartner predicted by 2022, more than 75 percent of global organizations will be running containerized applications in production and by 2024, container management revenue will reach $944 million.
Despite this exciting growth, containers are still vulnerable to cyberattacks. According to a Tripwire survey, 60 percent of enterprises running containers suffered a container security incident in 2018. Additionally, a recent StackRox survey involving IT and security professionals found that 94 percent of respondents encountered a security incident in the past year related to containers or Kubernetes. Without proper security measures in place, your container management environment could suffer from container security incidents too.
To minimize your attack surface, you should know the exact contents and vulnerabilities of your containerized applications before running them in production. By first identifying threats and vulnerabilities, you can begin to enforce policies and achieve the desired level of security and compliance.
Application & Insider Threat Checks
For example, a developer has been tasked with creating a custom-built container that utilizes a popular database server. The security team has required that this database server be configured using a specific version with TLS and authentication enabled. What can be done to ensure these requirements are fulfilled?
Anchore provides users with the ability to create policy-as-code. A user can create a simple JSON policy that checks for application-level configuration such as a specific package version or a required configuration option. A policy can then be enforced by user-defined actions that could fail a pipeline stage or prevent the container from being deployed. Implementing both accidental and malicious insider threat checks is one of the first things your organization can do to mitigate container security risks.
Ports, Permissions & Private Data Checks
In addition to checking for files, packages, and software artifacts, a container security solution should also check for ports, permissions, and private data. Similar to how AWS Macie checks for personal identifiable information (PII) in an S3 bucket, container security software should provide users with automatic checks for exposed ports, insecure permissions, secrets, passwords, licenses, keys, and other metadata. Whether the information was mistakenly added or left behind during testing, checks of this nature are essential in achieving levels of compliance and preventing bad actors from acquiring privileged access or sensitive data.
There are many container scanning tools on the market that check for common vulnerabilities and exposures (CVE). However, scanning the same container image with two separate tools will always yield different results. With the variety of public security advisories available today, it is important your organization chooses a container scanning solution that utilizes a comprehensive set of feed sources and is able to identify every software package installed in the container.
As a developer myself, I know that we will install any packages necessary to get a job done. Nonetheless, your security team may want to block a risky package from being used or discover that there is an upstream patch available for a package. Knowing which CVE corresponds to which package and ensuring that the minimum required packages are installed in a container is critical while your security team researches, evaluates and minimizes risk.
In this blog, we acknowledged that the increased use of containers among global organizations requires an increased focus on cybersecurity. We’ve also seen a few reasons why Fortune 100 companies and government agencies around the world trust Anchore for their cloud-native environments. By implementing the right tools and policies, your organization can prevent threats and vulnerabilities as well as achieve desired levels of security and compliance, saving time and money prior to runtime.