Assembling A Container Security Program [New Paper]

We are please to announce the launch of our recent research efforts on Docker security - Assembling a Container Security Program. We have finally reached the point where enterprises – as containers are integral elements of software delivery – demand security in and around containers. And it’s not coincidental that Docker has recently added a lot of security capabilities to their offerings, but that is still only a small subset of what is needed. During our research we learned many things, including

• It’s no longer a hypothetical discussion amongst security practitioners, but software development and operations teams need to get a handle on what is being done and how to verify security controls are in place.
• The security conversation still centers on OS hardening; while this subject is complex and can be difficult to manage, it’s a fairly well understood set of problems. There is simply a lot more moving pieces in play not being discussed in the media about the day to day security issues teams face.
• Very little attention is being paid to the build environment, and making sure what is supposed to be in the container is there, and nothing more. Vetting code and third party libraries are secure is absent from virtually all container security programs we discussed with companies.
• Human error is more likely to cause issues than security bugs. Running services in the container with root user credentials, poor handling of keys and certificates, or opening up ports or indiscriminate communications are all common issues that can be tested for.
• The handoff from development to operations, and how operations teams vet containers prior to being put into production is somewhat free-form. As more containers are delivered at a faster pace, especially with continuous integration and DevOps engineering, container management in general – and specifically knowing what containers should be run at any time – is becoming harder.

All in all there are many issues beyond OS hardening and patching your Docker runtime. Crucial runtime aspects of container security like monitoring, container segregation and blocking unwanted communications are all at issue. And how containers are built, managed and deployed all play a part in application security, and should be core to any container security program. As such, we have taken a much broader view of container security than other firms have, and cover each in this research paper.

Finally, we would like to thank Aqua Security for licensing this content. It’s support from the community like this that allows us to bring independent analysis and research to you free of charge. We don’t even require registration. So you can grab a copy of research paper directly, or visit our research library for a full review of the paper, and please visit Aqua Security if you would like to better understand how the help provide container security.

- Adrian Lane (0) Comments Subscribe to our daily email digest

from Assembling A Container Security Program [New Paper]