January 19, 2018

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But it can be difficult for organizations to get a clear understanding of the components and dependencies in their container images. Development teams must be able to find security vulnerabilities in the development environment, but operations teams need to have the same insight to prevent insecure containers from becoming a danger in production.

A Deep Dive into the NIST Container Security Guidelines

This fundamental change to how companies are deploying software hasn’t gone unnoticed. The National Institute of Standards and Technology (NIST) published the “Application Container Security Guide” in September to address the security risks associated with container adoption.

Chances are, hackers are aware of the growing popularity of containers as well.

As the use of containers becomes best practice in DevOps, that use is also disrupting existing software development and security methodologies. NIST recommends that organizations tailor their “operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containerization.”

However, due to the nature of containers once deployed, vulnerabilities found in those containers aren’t patched with the latest update. The best approach is to update the base images themselves, then the applications, and redeploy the resultant image as new containers. Or as NIST puts it: “Unlike traditional operational patterns in which deployed software is updated ‘in the field’ on the hosts it runs on, with containers these updates must be made upstream in the images themselves, which are then redeployed.”

This is an important operational difference, which is why DevOps teams may have to adjust their processes and tools.

Containers undoubtedly help speed software delivery, but they also pose new risks to application security. NIST acknowledges the benefits of containers, but cautions: “When a container is compromised, it can be misused in many ways, such as granting unauthorized access to sensitive information or enabling attacks against other containers or the host OS.”

Containers, like traditional applications, are vulnerable to hackers and can be breached. The security risk associated with vulnerabilities in containers should be controlled, and the most proactive way of doing that is by finding and removing vulnerabilities in base images.

Defining a Container Security Strategy

The first step your organization must take is to define a container security strategy and use tools that can help you enforce that strategy throughout the DevOps life cycle. These tools must both validate and enforce compliance of container security policies by including a method to prevent containers with security vulnerabilities from being deployed.

“Organizations should use tools that take the declarative, step-by-step build approach and immutable nature of containers and images into their design to provide more actionable and reliable results…This should include having centralized reporting and monitoring of the compliance state of each image, and preventing noncompliant images from being run.”

Container Orchestrators are a good first step. NIST states, “Orchestrators should ensure that nodes are securely introduced to the cluster [and] have a persistent identity throughout their life cycle.” When selecting a container orchestrator, make sure that it includes the core capabilities necessary for your environment.

There are many excellent traditional security tools, however, most are not designed to manage the security risks associated with hundreds or thousands of containers. The large-scale use of containers is new, as are the tools you need to manage them. NIST reports: “… traditional tools are often unable to detect vulnerabilities within containers, leading to a false sense of safety.” Rather, “adopt container-specific vulnerability management tools and processes for images to prevent compromises.”

Securing Against Known Vulnerabilities

Containers should be monitored continuously because new security vulnerabilities are being disclosed every day. In fact, the National Vulnerability Database has documented more than 13,400 vulnerabilities thus far this year, more than double disclosed in 2016. When your operations team has thousands of running containers, finding and mitigating or remediating every newly disclosed vulnerability in each container is a significant challenge.

“… an image created with fully up-to-date components may be free of known vulnerabilities for days or weeks after its creation, but at some time vulnerabilities will be discovered in one or more image components, and thus the image will no longer be up-to-date.”

To ensure containers are secure from newly disclosed vulnerabilities, NIST suggests organizations “utilize a container-native security solution that can monitor the container environment and provide precise detection of anomalous and malicious activity within it.”

Every organization is different and must ensure their approach to container security scales to their containerized environment. It only takes one vulnerable container out of thousands to cause a breach, which is why organizations need visibility into every container image simultaneously. Tools alone are not enough—your organization must also have people to manage those vulnerabilities. Tools scale, but people don’t and time to remediation is critical.

Once you have visibility into each container, you should group containers based on similar security risks. Smart grouping makes it more difficult for attackers to expand a compromise to other container groups and makes the breach easier to detect and contain.

Finally, make sure that you are proactive about container security. While containers speed software delivery, it’s imperative to understand the new risks they post to application security. The most effective way of controlling the security risk associated with vulnerabilities in containers is by finding and removing vulnerabilities in base images and application dependencies. The volume both of newly disclosed vulnerabilities and containers deployed in production environments requires the use of a dedicated container security solution capable of preventing, detecting and responding to threats directed at containers.

About the Author / Tim Mackey

Tim Mackey is technical evangelist for Black Duck Software, which helps organizations to locate, manage and secure their open source software. He is well-versed in open-source application security, data center security, containers, virtualization and cloud technologies. Tim has spoken at many events including OSCON, CloudOpen, Interop, CA World, Cloud Connect and the CloudStack Collaboration Conference. Tim is a published O’Reilly Media author. Connect with him on LinkedIn and follow him on Twitter.

Lorum Ipsums asdfasdfasdf