Container Security
I wrote this in 2019, but not much has changed except a few acquisitions, but a new comer has become a rockstar now.
Definition
A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries, and settings.
— Docker a major player in container technology
Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer’s laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud.
— CIO.com, “What are containers and why do you need them?”
Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop.
— Google, “Containers 101”
Forewords
There are two parts of container security. One is securing the container during its build process to make sure there are no known vulnerabilities in the container images. Two is securing containers during run time, which includes securing both the container hosts and protecting running containers against attacks and manipulations. Below is a flowchart from Gartner regarding the decision of which container management style to adopt:
Securing Container Build Pipeline
When the container is being built, the resultant image must be scanned for vulnerable libraries so vulnerable containers don’t end up in the container registry in the first place.
Securing Container Images
Container registries must be scanned regularly to alert us of new vulnerabilities present in running containers. Currently, this feature is not provided by AWS ECR scanning. However, workarounds exist such as scheduled trigger of the image upload pipeline.
Securing Running Containers
In order to protect running containers, we need to secure both the container hosts and the running containers. The first is achieved by hardening the container host whilst making sure the Docker daemon is allowed to operate within a preset of rules. The second is achieved by either installing host-based agents to govern running containers and/or embed agents in the container images.
Case Studies
Golden Images with Applications
AWS ECS with Containers
AWS EKS/Azure AKS/K8s with Containers
AWS Fargate / Azure Container Instances
Since Fargate does not provide any access to the container hosts, we need to secure the registry and the running containers.
AWS Lambda / Azure Functions
Conclusions
Despite containers are part of the Immutable Infrastructure, it is still necessary to apply security agents in cases where a remediation is not available or is not deployable in a timely fashion.
Reviews
Secure Container Build Pipeline
CoreOS Clair
Clair scans only OS packages, and does not scan, e.g. NPM packages.
Aqua Security
Way better than Clair with fewer false positives.
Trivy
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
Twistlock
We used Twistcli to scan our images, and found it good.
Securing Container Images
AWS ECR Scanning
AWS offers scanning of ECR images by CoreOS Clair. Clair scans only OS packages, and does not scan, e.g. NPM packages.
Azure ACR Scanning
Azure offers scanning of ACR images by Qualys. It doesn’t scan non-OS packages either.
Aqua Security
Aqua scans all packages, including npm…etc…
Twistlock
Twistlock scans all packages, including npm…etc…
Secure Running Containers
Aqua Security
Aqua is a complete container/Kubernetes security platform.
Sysdig Falco
Falco is more of a forensic tool.
Twistlock
Twistlock is a complete container/Kubernetes security platform.
Secure Serverless Containers
PureSec
PureSec provides in-function protections against Cross-Site Scripting, firewalling…etc…
Resources:
- TwistLock — “The Rise of Containers and What it Means for Security” and “The Ultimate Guide to Container Security”
- RedHat — “What Is Container Security?”
- Hewlett Packard Enterprise — “5 Ways to Secure Your Containers”
- National Institute of Standards & Technology — Application Container Security Guide
- TechBeacon — “Container Security: What You Need to Know About the NIST Standards
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬
