Containers have been one of the hottest trends in the software industry in recent years as more organizations turn to them to build, test, and deploy faster without the frictions that can come from changing environments. However, while tools like Kubernetes and Container Registries have become household names for developers because these tools make it easier to develop and deploy containers, many are still catching up on the need to integrate container security tools in order to secure their containerized application throughout the container lifecycle.
In working with containers, we need to recognize that they face a different range of threats from other sorts of software that we use. Don’t get me wrong, they have their own set of pluses that make them a valuable arrow in any developer’s quiver, but the trick is knowing how to work safely with them as well.
Let’s try and explore some of the ups and downs that we may face in working with containers from a security perspective and then think about what are some of the container security tools that may help us mitigate these potential threats.
Despite the advantages offered by containers, their use comes with challenges that need to be taken into account.
To start, containers present attackers with a larger attack surface to target. Containerization has specific structural and operational elements that require special attention, mainly the underlying shared kernel architecture of containers that beyond securing the host requires maintaining standard configurations and container profiles.
A key area of concern is that there is a lack of visibility which can obscure vulnerabilities, thus making it harder to remediate when necessary. In containerized environments, images are constantly added to the organization’s private registry or hub, and containers running the images are spun up and taken down. This flux of alternating runtimes means that images or containers that are not in use at the time of a scan at the Kubernetes stage will be harder to identify. Therefore it necessitates performing container security scanning at earlier stages of the build process if we want to be sure that nothing is missed.
So what are some of the tools that can help us to make sure that nothing dangerous gets through unnoticed? Here is a list of the top 5 tools that we think are useful and should become a part of your go-to for thinking about container security tools.
As noted above, Kubernetes has been the talk of the town for some time now, reigning supreme as the orchestration tool of choice for those working with cloud-native applications, so basically everyone.
The good folks over at Alcide want to help you keep the beating heart of your Kubernetes workflow pumping with their platform. Their Kubernetes Advisor provides a solution for scanning, configuring, and generally gaining better visibility over your Kubernetes cluster for better control and security.
The Alcide team also puts a strong emphasis on allowing admins to set permissions on who is allowed to access what, based on the principle of granting the least amount of access possible, which is the right place to start in our book.
Open source components are the building blocks of software, comprising between 60-80% of the codebase in nearly all modern applications. Given this wide attack surface, it is critical that we take steps towards managing our open source usage in our software including when we use containers.
Offering coverage for all open source usage throughout the SDLC, WhiteSource provides tailored solutions for securing containers with the aptly named WhiteSource for Containers. Users can gain full visibility into all open source components in their containers at all stages, including in their container registries and Kubernetes clusters. This includes native support for popular container registries like Docker Hub, Amazon ECR, Azure Container Registry, Google Cloud Registry, and JFrog Artifactory.
This container security tool allows admins to set automated policies for security vulnerabilities and licenses that are enforced throughout the container lifecycle, guaranteeing that risky open source components are detected and blocked if necessary.
This CI/CD pipeline solution for integrated digital identity offers a robust container security tool for controlling application processes in your Kubernetes clusters. Their technology creates a unique ID for each workload that they say is independent from traditional markers like IPs and others so that you can be sure that every workload really belongs in your CI/CD pipeline. It is kind of like giving out badges to employees at an organization, combining DevSecOps with a Zero-Trust model that we generally see in network security solutions.
For a more detailed explanation for how their product works in practice, check out this link.
This container security tool works to provide its users with strong governance and compliance capabilities, doing a deep dive with their analysis of container images and allowing admins to set the policies they need to keep their software secure.
Mixing a wide range of threat intelligence with role permissions controls, Anchore’s enterprise CI/CD offering is a beast of a package with options of unlimited users and up to 50 image repos, making it more than enough for most outfits. They also provide service for both on-prem and public cloud users, giving the flexibility that many are likely to find appealing. For the folks from legal, Anchore has compliance in mind for a variety of standards including NIST and CIS, with easy reporting to make this less of a headache than necessary. Oh, and of course they help to secure your Kubernetes.
Interestingly, and endearing to us, they also have an open source project that works with many of the same functions that are available in the enterprise version.
Last but certainly not least is Clair, the open source project that helps teams by providing a static analysis to find vulnerabilities in their Docker or appc containers.
Static analysis tools like SAST have become common in AppSec, using a set of rules to automatically check the code for potential flaws. However, these technologies can be quite pricey and are not always built with containers in mind so it is great to have an open source option available.
Clair draws data from a range of vulnerability sources, constantly updating as new issues arise. There are also a number of useful integrations with other open source projects that make working with Clair as one of your container security tools even easier, including a few container registries like Quay.io and Dockyard.
Check out their GitHub page for more information or to try it out for yourself.
If these five container security tools weren’t enough for what your organization needs, then take a gander at some of these other lists that we found while pulling together this list for your container security reading pleasure.
No matter which tools you choose, remember to use application security best practices throughout your development to avoid potentially painful mistakes. Containers help us work faster and more efficiently, but it is still up to us to make sure that we work with them securely.