Applying DevSecOps to Container Security Headaches

Container security is and will remain an important discussion for organizations, even those on the path to serverless

Container architecture is on the rise, with revenues from the application container market predicted to grow to a more than $3.4 billion industry by 2021. For developers, containers are a natural fit for agile organizations. For organizations, containers deploy virtualization in a way that allows far more efficient use of computing resources. (Yes, they have detractors. I’ll get to that later.)

While containers are compelling to developer teams, it can cause security headaches because organizations struggle to wrap their people and processes around container development. These security risks become increasingly apparent when comparing the agility of container development now with the slow pace of years past.

To combat this challenge, organizations need to take a DevSecOps approach to overseeing container development, creating more transparency between teams and their workflows across the life cycle of a piece of software.

Deceptive Simplicity

Containers have become popular because they readily allow the easy integration of the microservices and modules championed by DevOps proponents, but that simplicity can pose risks. In a container environment, the developer can simply pull an image of the application from a registry and build directly to a server without consulting anyone else.

But there’s a problem with that. The agility that containers enable also flattens old checkpoints. In the old days, the SQL administrator enforced rules under which developers would only use the latest version of SQL, even if previous versions had specific tools the developer preferred. Without these checkpoints, a level of quality control is removed.

Using the latest version of an application might seem like a pretty basic security feature, but developers aren’t always working with security in mind. Unfortunately for many organizations, when levels of quality control are removed, they aren’t replaced with hard rules that reflect the institutional knowledge of the old way of doing things. If there are no rules telling developers not to do it, there are going to be situations when developers use older versions of applications out of convenience or for another reason, despite security risk.

Instituting Container Security Best Practices

The security challenges of a super agile environment aren’t limited to the use of outdated versions. That situation, however, has lots of analogies in the world of containers.

Fortunately, there are a few practices that can overcome some of the security challenges that the ultra-agile container environment present.

First, if you are using containers, institute a strict access control program. Give users and developers permission to do only the things they need to do.

Next, make sure that you are using the latest images. Even the largest and most complex enterprises are designing containers to expire after just 60 days. This short life cycle provides ample opportunity to patch containers with the latest versions.

Only accept container images from trusted sources. Again, this seems obvious, but developers under pressure might be tempted to grab a file from a source that has ulterior motives.

Get the people problem right. The rush toward container adoption can create some stumbling blocks. If you are managing a team, make sure you aren’t pushing too much of the responsibility for security onto the developers.

Containers Here to Stay

When it comes to the rise of container frameworks, discussions on security have taken a back seat to discussions of whether containers will remain a viable technology.

While the continuing evolution toward serverless systems will reduce the use cases for containers, there remain several circumstances, such as IoT applications, in which containers are ideal. Beyond this, the way that container security issues arise from shifts in workflow are likely to be similar for serverless, and organizations can learn these lessons now.

Container security will continue to be an important discussion for those that use them, and discussions about container security can illuminate cultural challenges that may arise on the path to increased virtualization.

Jerry Gamblin

Jerry Gamblin's interest in security ignited in 1989 when he hacked Oregon Trail on his 3rd grade class Apple IIe. As a security evangelist, researcher and analyst, he has been featured on numerous blogs, podcasts and has spoken at security conferences around the world. When he's not helping companies be more secure, he's usually taking his son to swim lessons or hacking embedded systems in cars and IoT devices. He is principal security engineer at Kenna Security.

Jerry Gamblin has 1 posts and counting. See all posts by Jerry Gamblin