Posted by on Monday, April 10, 2023

As the preferred method for packaging and deploying cloud-native applications, a comprehensive understanding of containers, and how to secure them, has never been so important. 

As cloud-native applications continue to proliferate, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they offer. In fact, Gartner predicts that 75% of global organizations are running containerized applications in production.

The popularity of containers has also attracted hackers looking for new ways to exploit applications. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive security approach is essential to mitigate the risk to containerized applications and infrastructure.

What containers are, and what they’re not

Physical containers, originally created to ease the transportation of goods and materials on cargo ships, developed a standardized way of packing things. Whether a sports car from Italy or coffee from South Africa, they were packed and shipped the same exact way. The simplification this provided sparked an explosion in international trade and economic growth.

Likewise, a century later, when Docker engineers produced container technology for software applications, they did it for the sake of simplifying the shipping of software from the developer’s laptop to the production environment. Containers package everything an application needs to run, including libraries and system tools, into a single image that can be deployed across multiple environments—just like physical containers that are easily loaded by cranes and forklifts onto cargo ships, planes, and trains.

But this technology existed previously in the form of virtual machines. So why not stick with those? Why containers?

Containers are built as a packing tool. You can take an application and all its dependencies and put them in a container, drop it onto any system, and let it run, and it will work exactly as expected. A virtual machine, on the other hand, is a full guest operating system. It layers the application and its dependencies onto that operating system, which brings significant overhead due to hardware virtualization and other factors.

Container orchestration

Orchestration allows organizations to automate and simplify the configuring, managing, and deploying of large-scale container environments. Orchestration platforms such as Kubernetes have become the de facto standard for managing containerized applications at scale.

Many organizations have false assumptions about the security of orchestration platforms, and those assumptions can put their applications at risk. Even with third-party orchestration service providers such as Google GKE, the shared nature of the hosting responsibilities can make it difficult to understand who is responsible for securing what.

Container attack scenarios and matrix

When addressing the security of containers and container orchestration, it’s important to take a holistic approach that encompasses the architecture, deployment, and production of your applications.

Security considerations should include

• Malicious/compromised containers
• Local network attacks
• External network attacks
• Malicious developers/users
• Configuration best practices
• Secrets management
• Container delivery
• Role-based access control analysis
• Comprehensive, context-specific attack scenario analysis

Attack scenarios to consider should include

• Malicious entities on public network
• Malicious entities on adjacent network
• Malicious insiders/developers
• Malicious/compromised application containers
  • Containers to host
  • Containers to network
  • Containers to container
  • Namespace to namespace
  • Cluster to cluster

To track and organize these scenarios, it’s beneficial to create an attack matrix. The Kubernetes attack matrix, for example, includes factors such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and impact.

Top five risks to container security

The most common container vulnerabilities that Synopsys has encountered in our assessments are

• Container image security
• Secure defaults / hardening
• Secrets management
• Network segmentation / firewalling
• Policy enforcement

You can learn more about these vulnerabilities and container security essentials in our webinar on-demand.

View the on-demand webinar