So much of our modern software runs on containers. Containerized applications offer great flexibility for developers, but they also come with security risks.

Container security is a holistic approach to managing risk in containerized environments. Securing containers requires a broad approach incorporating different tools and policies that enforce security in the software supply chain, infrastructure, container runtime environments, and other potential container attack surfaces.

What is container security?

A container is a means of packaging software to ensure it contains all the necessary components to run in any environment. Containers are portable, allowing developers to run their code almost anywhere, regardless of the infrastructure or operating system.

Containers offer some inherent security benefits. Because containers are a form of virtualization, they provide isolation from the host operating system and run on a virtualized allotment of computing resources.

However, containers also create new attack surfaces for malicious actors to exploit. Most containers are built on pre-packaged base images, meaning vulnerabilities can spread quickly through the software supply chain. The tools used to develop and run containers, like Docker, require their own security best practices. Container orchestration tools used to manage containerized environments, such as Kubernetes, also introduce attack vectors.

Key security risks in containerized environments

Container security is a concern throughout the entirety of the software development lifecycle. The DevSecOps approach emphasizes a shift-left philosophy where security is prioritized early in development cycles. Container security must be treated as a top priority at the earliest stages of development and long after the application is deployed to production.

Image vulnerabilities

Images provide the necessary components to make the application work inside its container. Images and containers are distinct entities. Containers contain code and files defined by images, in addition to the project’s custom application code.

For example, a container for a Node.JS web application would include an image with the Node runtime, a package manager like npm, developer tools like nodemon, and any project dependencies. It would also include the JavaScript code that makes up the web application and any other supporting software.

Each dependency introduces new code to the project — and potentially new vulnerabilities. Not only can the dependencies have security vulnerabilities, bad actors can also compromise the software supply chain that provides these images. Attacks such as typosquatting and dependency confusion aim to trick developers into adding malicious code (masquerading as a real dependency) to their projects.

Runtime threats

Containers require a runtime environment to execute their code. This brings its own set of risks. Misconfigurations and configuration drift in the runtime environment can result in security risks from improper permissions settings or failure to implement security protocols.

The host application that runs the containers may also be a source of security vulnerabilities that can be exploited at runtime. For example, older versions of Docker include known security vulnerabilities. Bad actors can identify systems still operating these unpatched versions and target them for attack.

Because containers share the host’s kernel, kernel exploits are not mitigated by container isolation alone. Effective container security relies on the underlying host server maintaining its security posture to create a secure environment for containers to operate.

In container escape attacks, bad actors utilize privilege escalation to “break out” of the container and gain access to resources outside of the container. These types of attacks eliminate the barrier of isolation that containers normally provide and enable malicious actors to access the container’s host server.

Network threats

Network traffic is another source of security concerns for containerized applications. Bad actors exploit network vulnerabilities, such as open ports and misconfigured permissions.

Containers are a common building block for microservices. Microservices often communicate with one another over networks utilizing APIs. This has the effect of multiplying the attack surface for an application. Each microservice is another attack surface exposed to the network.

To counter this, developers can employ network segmentation techniques to restrict lateral movement within the network. By controlling the flow of traffic between containers and microservices, segmentation promotes a secure network.

Network segmentation can also be useful for reducing traffic interception attacks, where eavesdroppers intercept network traffic between different containerized microservices.

Orchestration risks

Containerized applications often rely on orchestration tools to handle deployment, scaling, networking, and management of containers. These orchestration tools offer developers many powerful features and are a staple of modern containerized apps.

Orchestration tools introduce their own risks. Misconfigurations in access controls can enable bad actors to execute commands or access sensitive resources. An over-privileged container (like a container granted root access) can cause serious problems in the orchestration environment and potentially even the host operating system.

Best practices for container security

Each application will have unique security concerns and specific vulnerabilities that must be addressed individually. However, there are some general best practices all developers should adhere to when securing their containers.

• Secure image creation: Take care when sourcing base images and dependencies. Only include images from reputable repositories. Trusted images typically include a cryptographic signature that can be validated before the image is added to the container.
• Regularly scanning images for vulnerabilities: Container scanning tools can examine images for known vulnerabilities. Regularly scanning your images helps to catch vulnerabilities before bad actors can exploit them.
• Access controls and authentication: Implementing strong access controls and authentication mechanisms based on the principle of least privilege and zero trust security ensures that a user or service is only granted the minimum permissions needed to complete their tasks.
• Configuration management: Configuration management defines and implements policies for securing container configurations and their environments. A systematic approach to configuration management allows teams visibility into configuration vulnerabilities and simplifies the process of addressing misconfigurations.
• Regular updates and patching: Container images, host applications, and infrastructure must all be kept up-to-date with the latest security patches.
• Runtime monitoring and logging: Runtime monitoring can help detect suspicious behaviors and catch misconfigurations. Detailed logs help teams analyze security threats, prepare incident responses, and conduct post-mortem analysis of security breaches.
• Network Segmentation: Network segmentation and strict network security policies limit how network traffic can interact with containers and limit the application’s attack surface.

Integrating CI/CD for enhanced container security

Many of the best practices for container security can be enforced using automated testing. Steps such as image scanning, validating configuration management, and verifying access control policies can be completed at least in part with the help of software tests.

Continuous integration (CI) tools enable teams to incorporate these security tests and image scans into a CI/CD pipeline. Using CI tools, building and testing are completed automatically each time a developer triggers the pipeline. Instead of manually performing an image scan or digging through files to understand the configuration, developers can use existing scanning tools and write simple software tests that validate their containers’ security features.

Complementing CI is Continuous Delivery (CD). CD methodology ensures that code always makes it through the CI process tested and ready to be delivered. With CD, DevOps teams can automate the deployment of secure containers, speeding up development cycles and consistently enforcing security best practices.

Benefits of CI/CD in container security

With testing and scanning added to a CI/CD pipeline, teams have an early warning system for identifying vulnerabilities. Security issues identified by automatic CI testing are caught before making it into a production environment where they could create significant problems.

The rapid pace of modern software development requires developers to innovate quickly and make regular changes to their applications. CI/CD facilitates this rapid pace while ensuring security policies are not compromised in the name of speed and innovation.

Tools and technologies for container security

Several container security tools assist developers in securing containers. Some of the most popular include:

• Image scanning tools: These tools automatically scan container images for known vulnerabilities. Tools like Clair or Trivy scan containers continuously looking for misconfigurations and vulnerabilities.
• Runtime security tools: Tools such as Falco and Sysdig monitor container behavior during runtime looking for suspicious behaviors that may indicate a security issue.
• Orchestration security tools: Kube-bench, Kube-hunter, and other orchestration security tools look for misconfigurations, permissions issues, and security weaknesses in Kubernetes deployments.

Conclusion

Container security is not so different from other forms of application security. Much like other security practices, the key element is consistency and diligence.

Ensure you have the appropriate tools and skills to prioritize container security throughout your container’s lifecycle. Whether you are at the very beginning of development scanning your base images for vulnerabilities, or hunting for network vulnerabilities across your containerized microservices, understanding container security allows developers to minimize attack surfaces.

Once your container security policies and procedures are in place, many crucial steps can be automated using a CI/CD pipeline. CI alleviates developers’ burden of manually performing these steps, giving them more time to focus on innovation while ensuring container security on every build.

Create a CI/CD pipeline for building secure containers by signing up for a free CircleCI account.