Overview: What Is Container Security?
Container security protects the integrity of containers, including the applications within them and the infrastructure they rely on. Containers make it easy to build, package, and deploy applications and services to different environments and deployment targets. Docker is a popular containerization technology, so it’s important to understand that Docker images are one of the easiest ways for vulnerabilities to enter your cluster.
Why Container Security Is Important
Containers are composed of layers of files, which are called container images. The base image is critical for security, because it’s the starting point for your Linux containers. If you have a vulnerability in your base image, that vulnerability will be in every container that contains that base image. This is why it’s important to find a trusted source for base images. Remember that when you add applications and make configuration changes, those changes introduce new variables.
“According to a 2020 survey by 451 Research, over a 12 month period 94% of organizations reported a serious security incident in K8s and container environments.”
Container Security Risks
Docker containers make development more efficient and predictable, eliminating some repetitive configuration tasks. In addition, using Docker can increase the level of security compared to running applications directly on the host. The Open Web Application Security Project® (OWASP) provides 12 rules to help you prevent common security mistakes and apply best practices that can help you secure your Docker containers, including staying current with patches, ensuring that you’re not exposing the Docker daemon socket, limiting capabilities, and more. Following these rules will help your organization reduce risks related to container security, but you’ll need additional tools to scan images and detect misconfigurations.
Container Security Challenges
It’s not easy to see inside a container and to understand what open source is in use inside your containers. A Docker container is a virtualized runtime environment, and a Docker image is a record of a Docker container at a specific point in time that contains all of the application code, tools, libraries, dependencies, and additional files necessary to make an application run — that’s a lot! Docker images also have multiple layers, and each one is based on the previous one but is also different from it. Docker images are reusable, but they also can’t be changed. So if there’s a problem, you’ll need to remediate the vulnerability and build a new container image.
Remember that even if you’re scanning your container images regularly as part of your CI/CD or your registry, Common Vulnerabilities and Exposures (CVEs) can be introduced at any time. That means even images in your live environment may contain newly discovered CVEs, so you must proactively scan the images that are running in your environments.
Container Security in Kubernetes
Cloud fundamentally changes the way infrastructure security happens, which means rethinking security for most organizations to plan for container security and Kubernetes security considerations. Kubernetes is the de facto standard for container orchestration, so it’s critical to consider container security as integral to your Kubernetes security best practices. Kubernetes, while not secure by default, does offer several built-in security features, including Kubernetes role-based access control (RBAC), network policies, and admission controllers.
Additional considerations for container security in Kubernetes is the additional complexity. It’s almost an equation, where you have to consider the number of engineers, multiply that by the number of cloud accounts, microservices, APIs, and more. Essentially, this means that you’re in an environment of constant change. There’s a lot to keep up with, especially with a maturing technology, finite security talent resources, and increasing compliance requirements. Finding ways to gain visibility into the security of your containers in Kubernetes is essential, and automating policy enforcement is a requirement for maintaining continuous security and governance. Datadog reports that half of organizations running containers use Kubernetes, and almost 90% of containers are orchestrated to automate aspects of container deployment and maintenance, making container security an essential part of Kubernetes security.
What Is Container Scanning?
Container scanning, also called container image scanning, is the process or method of scanning containers — and all of their components — to identify security vulnerabilities. For any team working to secure containerized DevOps workflows, container scanning is a critical component of container security.
Container images come from a wide range of sources, including public repositories, which may increase the potential risk for compromise. Images from untrusted sources may contain vulnerabilities or malicious components, and may not be configured properly to meet compliance standards. Maintaining trust in your container images is especially important due to the varied sources of images, and container scanning can help you better understand the components in an image or container. To increase security across your entire application lifecycle, your team should leverage container security in three areas.
- Integrate image scanning into the CI/CD pipeline: it’s best to scan components as you build your containers. If you build with vulnerabilities, they’ll be part of your containers and images — you need to remediate the vulnerabilities and rebuild the containers and images. Integrating image scanning to detect and block vulnerabilities before the code enters the pipeline helps you shift security left, improving your DevSecOps practice.
- Scan your container registry: the container registry is where you store all of your application images, and it may hold hundreds or thousands of images built from different sources, including third-party locations. One vulnerability or insecurity configuration could result in a threat to your registry and your application. Continuously scan your registry for any change in vulnerability status automatically — and make sure you scan every image to identify and prevent potential incoming threats.
- Open source vulnerability scanning at runtime: to achieve optimal container security, you can’t just scan the registry — you need to automate continuous scanning to identify new CVEs as soon as they are identified. Continuous, automated scanning helps you detect new vulnerabilities, report findings to your security team, and remediate them quickly. Because your environment may contain multiple applications and clusters, it’s best to have visibility into container vulnerabilities across environments, so you can prioritize remediation efforts.
Ongoing Container Scanning Is Critical
According to a recent 451 Research survey, 69% of respondents experienced a misconfiguration incident, 27% experienced a security incident during runtime, and 24% reported that they had a major vulnerability to remediate. Container security concerns impact many organizations, delaying the deployment of applications due to security concerns. Delaying deployment impacts your organization’s ability to deliver applications and services to market, and likely your bottom line.
Container Security Validation
Fairwinds Insights enables Kubernetes-native security, policy, and governance to help your organization reduce risk across multiple teams and clusters by providing both continuous scanning and runtime monitoring for your Kubernetes environments. Insights locates container risks using Trivy, an open source container scanning solution. It then creates Action Items for any image with known vulnerabilities, so you have visibility into where your vulnerabilities are and can plan your remediation steps.
When you are deploying applications and services in Kubernetes environments, you will have multiple teams, multiple clusters, and many running containers. It’s important to have a single dashboard that shows information across environments to maximize your visibility into a complex environment, automate your security at scale, and integrate shift-left security to reduce risk faster. Fairwinds Insights validates container security and Kubernetes security best practices, helping you focus on your applications and not just on maintaining the security of your containers and Kubernetes environment.
Read this white paper to learn how to validate container security and employ Kubernetes best practices.