Table of contents
Container security
Containers have become a popular standard of packaging applications using the Open Container Initiative specification:
- Operating systems like Ubuntu, CentOS etc.
- Application package managers like
pip
,npm
,RubyGems
etc. - Application code and associated metadata
Unlike VMs and physical servers, containers can be scanned for vulnerabilities before deployment. However, they come with security risks, especially opaque third-party container images. On Docker Hub alone there are more than 7M repositories. 11B images are downloaded each month.
With so many to choose from, selecting one should take into account:
- Freshness: old container images can have known vulnerabilities
- Reputability: obscure images could harbour backdoors and malicious code
- Performance: some images are poorly built and eat up system resources, leading to unnecessary cost or crashing other containers
Container security covers several aspects:
- the image and software inside
- the interaction between the container, the host OS and other containers (i.e. malicious code escaping sandbox)
The best practice is to automate the detection and correction of vulnerabilities at container level using automation, e.g. integrating with tools like Snyk or directly with tools provided by the cloud platform, like AWS ECR.
Ensure container security at built phase.
- Use code-analysis tools to recognise and report vulnerabilities
- Harden containers and reduce the surface of attack by removing any unnecessary dependencies like libraries and packages
- Scan images and registries regularly to detect and fix vulnerabilities before shipping
- Create guidelines on appropriate responses, considering urgency and impact, to patch vulnerable systems
Ensure container security at ship phase.
- Sign images to verify the publisher and that no tampering has occurred
- Enforce access restrictions and monitor access to sensitive images and deployment tools (registries, orchestration tools)
Ensure container security at runtime phase.
- Scan hosts and containers before and during runtime for vulnerabilities
- Monitor hosts and containers for suspicious processes such as port scanning and root-priviledge escalations
- Detect lateral movements and sandbox breaches using suspicious network connections to other containers and hosts
- Lock down containers to exclude external access if not necessary
- Use encryption to protect sensitive resources accessible by containers like API keys and secrets
- Continuously audit security settings for containers, hosts and platform/orchestration tools
- Add the ability to quickly quarantine containers exhibiting suspicious behaviour during investigation
- Capture packets and events for further forensic logging analysis