Container Security

in containersecurity •  4 years ago  (edited)

I wrote this in 2019, but not much has changed except a few acquisitions, but a new comer has become a rockstar now.

Container_Security.png

Definition

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
— Docker a major player in container technology

Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer’s laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud.
CIO.com, “What are containers and why do you need them?”

Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop.
Google, “Containers 101”

Forewords

There are two parts of container security. One is securing the container during its build process to make sure there are no known vulnerabilities in the container images. Two is securing containers during run time, which includes securing both the container hosts and protecting running containers against attacks and manipulations. Below is a flowchart from Gartner regarding the decision of which container management style to adopt:

226597439.png

Securing Container Build Pipeline

When the container is being built, the resultant image must be scanned for vulnerable libraries so vulnerable containers don’t end up in the container registry in the first place.

Securing Container Images

Container registries must be scanned regularly to alert us of new vulnerabilities present in running containers. Currently, this feature is not provided by AWS ECR scanning. However, workarounds exist such as scheduled trigger of the image upload pipeline.

Securing Running Containers

In order to protect running containers, we need to secure both the container hosts, and the running containers. The first is achieved by hardening the container host whilst making sure the Docker daemon is allowed to operate within a preset of rules. The second is achieved by either installing host-based agents to govern running containers and/or embed agents in the container images.

Case Studies

Container_Security.png

Golden Images with Applications

223787300.png

AWS ECS with Containers

223787189.png

AWS EKS/Azure AKS/K8s with Containers

223787301.png

AWS Fargate / Azure Container Instances

223787304.png
Since Fargate does not provide any access to the container hosts, we need to secure the registry and the running containers.

AWS Lambda / Azure Functions

223787688.png

Conclusions

Despite containers are part of the Immutable Infrastructure, it is still necessary to apply security agents in cases where a remediation is not available or is not deployable in a timely fashion.

Reviews

Secure Container Build Pipeline

CoreOS Clair

Clair scans only OS packages, and do not scan, e.g. NPM packages.

Aqua Security

Way better than Clair with less false positives.

Trivy

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

Twistlock

We used Twistcli to scan our images, and found it good.

Securing Container Images

AWS ECR Scanning

AWS offers scanning of ECR images by CoreOS Clair. Clair scans only OS packages, and do not scan, e.g. NPM packages.

Azure ACR Scanning

Azure offers scanning of ACR images by Qualys. It doesn’t scan non-OS packages either.

Aqua Security

Aqua scans all packages, including npm…etc…

Twistlock

Twistlock scans all packages, including npm…etc…

Secure Running Containers

Aqua Security

Aqua is a complete container/Kubenetes security platform.

Sysdig Falco

Falco is more of a forensic tool.

Twistlock

Twistlock is a complete container/Kubenetes security platform.

Secure Serverless Containers

PureSec

PureSec provides in-function protections against Cross-Site Scripting, firewalling…etc…
Resources:
TwistLock — “The Rise of Containers and What it Means for Security” and “The Ultimate Guide to Container Security”
RedHat — “What Is Container Security?”
Hewlett Packard Enterprise — “5 Ways to Secure Your Containers”
National Institute of Standards & Technology — Application Container Security Guide
TechBeacon — “Container Security: What You Need to Know About the NIST Standards

containersecurity
4 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!