Overcoming Container Security Gaps With Active Vulnerability Management

Organizations can reduce security risks in containerized applications by actively managing vulnerabilities through scanning, automated image deployment, tracking runtime risk and deploying mitigating controls.

Kubernetes and containers have become de facto standards for cloud-native application development due to their ability to accelerate the pace of innovation and codify best practices for production deployments, but such acceleration can introduce risk if not operationalized properly.

In the architecture of containerized applications, it is important to understand that there are highly dynamic containers distributed across cloud environments. Some are ephemeral and short-lived while others are more long-term. Traditional approaches to securing applications do not apply to cloud-native workloads because most deployments of containers occur automatically with an orchestrator that removes the manual step in the process. This automatic deployment requires that the images be continuously scanned to identify any vulnerabilities at the time of development to mitigate the risk of exploitation during runtime.

In addition to these challenges, software supply chain adds complexity to vulnerability scanning and remediation. Applications increasingly depend on containers and components from third-party vendors and projects. As a result, it can take weeks or longer to patch the affected components and release new software when a critical vulnerability is announced.

We can all agree that it’s nearly impossible to fix everything and remove all risks from an environment. However, the security gaps created by increased innovation and production can be overcome by detecting and blocking vulnerabilities using mitigating controls to reduce the risks associated with vulnerable images, tracking images through to runtime, and incident detection during runtime.

Sources of Container Vulnerabilities

Vulnerability management is crucial to administer at the build stage to determine whether an image can be deployed or not. Vulnerabilities come in many varieties and from several types of software flaws and misconfigurations. Vulnerabilities in your image can be inherited from open source libraries, base images and other third-party components—some of which are known and others that have yet to be discovered.

Security risks can also originate from first-party application code. Vulnerabilities can stem from a mistake that application teams make during development or perhaps due to misconfigurations like a hard-coded password that was added inside the code itself. Scanners use extensive databases to continuously track these vulnerabilities and misconfigurations to determine if any are present in applications and how they can be exploited.

Traditionally, vulnerability management initiatives have focused on finding and fixing critical and high vulnerabilities, as these are the most likely to be exploited. In cloud-native application development, many DevOps teams are taking on security responsibilities and finding these vulnerabilities. Then, application and development teams–those with the necessary knowledge and expertise–are tasked with fixing and remediating these security issues.

This creates security gaps between vulnerabilities found by DevOps teams and the application and development teams’ bandwidth to address them. It is important to manage the vulnerabilities by identifying the impact of each issue and prioritizing them so the application and development teams have a stack rank of what they should be fixing and in what order. It is nearly impossible for these teams to fix everything, making prioritization critical to the entire deployment process and the overall resilience of the company.

Mitigating Controls

Unfortunately, there are still instances when newly found vulnerabilities are reported for workloads that have already been deployed. Unfortunately, even if a team is doing everything possible to remediate vulnerabilities as part of their pipeline, vulnerabilities in production workloads are inevitable. However, a particular vulnerability can be mitigated by surrounding it with additional layers of security. Applying mitigating controls and policies will prevent deeper exploitation of that environment.

Mitigating controls provide a longer runway for the development teams to fix any vulnerabilities that may arise. Otherwise, you could be stalling the deployment and slowing down the business’s innovation and production process.

Tracking Images From Build to Runtime

In managing the security gaps, it is important to track images with known vulnerabilities closely to understand which containers are being built out of those images and which containers in the environment could potentially be compromised. Once images are scanned and CVEs have been detected, it’s important to use an automated process that blocks the deployment of images with high-severity vulnerabilities. However, in certain instances, your organization might allow the deployment of images with vulnerabilities.

The next iteration of vulnerability management doesn’t just stop at finding issues but also goes beyond that to provide the context for the image, how it will be used, what compensating controls are available, and, once applied, distinguishing if they are actually issues that need to be fixed immediately. Teams are advised to continuously scan images for vulnerabilities and misconfigurations and keep track of all these issues in both build and runtime to prioritize remediation and monitor any threats that could take advantage of their vulnerability management.

Incident Detection

While vulnerability management is important in the build process, monitoring for runtime threats is an important part of a defense-in-depth security strategy. Monitoring workload behavior for indicators of compromise is an important way to identify malicious actors who may be using unknown or unreported vulnerabilities. If security teams detect a malicious actor that has made its way into the environment at runtime, they can bring that intelligence to the development team working on the build and recognize that there was an unknown vulnerability. The security and development teams can use forensics for the build to better understand and address the method of exploitation. Developers will use that information to plug gaps in the development and close that loop for the team.

Teams are addressing a slate of learning curve challenges as organizations have increased their adoption of cloud-native architecture, such as internal organization tensions, a vulnerability or exposure making its way to deployment and understanding security risks. The steps in which development and security teams address prioritization, controls, tracking and sharing detection intel are crucial for organizations to lean on for overall strong vulnerability management.

Amit Gupta

Amit Gupta is Chief Product Officer at Tigera, where he is responsible for the strategy and vision of Tigera’s products and leads the delivery of the company’s roadmap. Amit is a hands-on product executive with expertise in building software products and services across various domains including cloud security, cloud-native applications, and public and private cloud infrastructure.

Amit Gupta has 2 posts and counting. See all posts by Amit Gupta