Container Inspection: Walking The Security Tightrope For Cloud DevOps
Containers are at the forefront of software development creating a revolution in cloud computing. Developers are opting for containerization at an impressive rate due to its efficiency, flexibility and portability. However, as the usage of containers increases, so should the security surrounding it. Just as with ‘container’ ships, the contents of the container must be known, as nobody wants to be carrying unknown goods. Similarly, you would not want this in a virtual sense with a container carrying valuable data assets and applications. With containers comprising of many valuable components it is of the utmost importance that there are no vulnerabilities exposed when developing applications, and risks are mitigated before containers, and their contents, reach the end-user.
Common vulnerabilities in Kubernetes and Docker
Containers have facilitated the workflow of DevOps by bringing development and IT operations closer and accessible at pace via a container registry like Docker Hub. However, safety and security still remain a major challenge as new methods are being discovered and utilised by hackers to access hosts through compromised containers. The isolation between containers and the host operating system is key to stopping attacks becoming widespread, however, this is frequently overlooked as developers sit in silos away from the prying eyes of their security counterparts.
Docker Hub is commonly used by DevOps for finding and sharing container images. It is an extremely useful tool, although it must be treated with caution with sufficient security assessment to be carried out before use because these can be plagued with vulnerabilities. Fortinet and Kromtech recently experienced the consequences of this when security best practice are not taken when using Docker Hub - as they received tainted Docker containers storing downloadable images which mined an estimated $90,000 in cryptocurrency.
Kubernetes is another useful system for container orchestration, however, it is also extremely complex and has a number of vulnerabilities. Privileged escalation is still a very real threat, particularly with multi-user systems designed to allow separate groups of developers to work on independent applications all at the same time. Misconfiguration is a main concern here, as Kubernetes allows pods to communicate through the API, meaning that if one service is compromised, all the services in the network could be exposed. Unfortunately, developers tend to be unfamiliar with network policies and forget to ensure least privilege policies and access controls are in place to reduce network risks.
How to secure containerized apps in agile DevOps
Security leaders must address challenges related to these dynamic cloud environments where conventional security tools have become obsolete. This means that security tools must adapt to support workload protection and configuration assessment in newer architectures when dealing with microservices and container services.
Inspect container images early on in the SDLC
As developers no longer write all their own code, container composition analysis should be deployed earlier on in the app development stage for comprehensive image inspections. This will guarantee that critical vulnerabilities in base images are identified and resolved before entering the next stage, with this process being fully automated for easy adoption and fast remediation by developers. Container inspection is essential to help reduce the risk of exposure for organisations who source and use public images from third parties, such as Docker Hub. If inspections do not take place, and a vulnerable container is brought into an organisation’s private registry unknowingly, then it could disrupt the integrity of the application, as well as revenue-generating operations later on.
Impede application layer attacks before deployment
The next step is to test for vulnerabilities in the application itself. Security flaws such as sensitive data exposure and injections are common for web applications, so checking these against OWASP Top 10 is the best way to minimize risk. It is important to do this during the QA or validation phase before deployment. This step should also be fully automated during the build process and integrated into the CI/CD pipeline to allow a smooth workflow between DevOps and SecOps.
Harden the container host to avoid misconfigurations
Lastly, when the application is ready for production, an organization must be confident that the security controls of the container it is running on are hardened according to industry standards. Security specialists at Outpost24 recommend using CIS Docker and CIS Kubernetes benchmark assessment, the most comprehensive configuration and hardening guidelines to guarantee the security controls are correctly in place for the host, as well as the Docker daemon.
Achieve DevSecOps success
By assessing container security early with built-in software composition analysis, it will help save money and time fixing issues in the future. Beyond technologies and tools, the primary challenge of container security is in the collaboration between DevOps and SecOps. Developers are not security experts and they have their own priorities, yet they are increasingly given more responsibility for security and will become your first line of defense. Therefore, as DevOps remain at the forefront of container adoption, SecOps needs to monitor this by ensuring the best security practices are built into the SDLC workflow in order to support the use of containers at the enterprise level. The best way to achieve true DevSecOps is to educate developers on secure coding practices, leverage security automation and integrate container and application assessment across the SDLC to ensure that security is enabled for faster and safer releases. Creating the gold standard of a DevSecOps approach is where everyone should aim to get to, so the risk of data leakage is minimized throughout the development cycle and is unlikely to trickle out of the chain.