As the use of containers becomes standard practice, existing software development and security methodologies may need to be modified to better support a new way of developing, running, and supporting applications made possible by containerisation.
For example, an important operational difference due to the nature of containers is that, contrary to how virtual machines are maintained, vulnerabilities identified within containerised applications shouldn't simply be patched with the latest software update. Instead, patches to container images are made by rebuilding the Docker image with the appropriate patches, and then replacing the existing running containers with the updated image. This change in paradigm often requires enterprises reassess their patching processes.
Identification of risk is a crucial component of security, and risk is a function of the composition of a container image. Some key questions operations teams need to answer in order to minimise risk include:
If a patch is issued for a base image, what is the risk associated with consuming the patch?
Given my tooling, how quickly will I be informed of component updates for dependencies which directly impact my containers?
Given the structure of a component or project, do malicious actors have an easy way to gain an advantage when it comes to issues raised against the component?
Defining a container security strategy
One critical attribute of any container security solution is its ability to identify new containers within the cluster and automatically attest to the security state of the container. The desired security state will of course vary by application, and solutions need a policy framework which allows “at a glance” identification of any containers violating policy. The most advanced tools will enable this enforcement by providing a method to prevent containers with security vulnerabilities from being deployed and include centralised reporting and monitoring of the compliance state of each image to preventing non-compliant images from being run.
Most enterprises operate under governance regulations requiring continuous monitoring of infrastructure. This requirement exists for containerised applications as well, but the immutability of container images and the fact that containers are replicated from those images leads to a change in paradigm. Container images should be monitored continuously because new security vulnerabilities are being discovered every day. But with hundreds or thousands of containers running at the same time, finding and remediating every newly discovered vulnerability in each container can be a challenge. Identifying an issue in a container image means that same issue will be present in all running containers replicated from that image. An image created with fully up-to-date components may be free of known vulnerabilities after its creation, but at some time vulnerabilities will be discovered in one or more image components.