Our paper, Assembling a Container Security Program, covers a broad range of topics around how to securely build, manage, and deploy containers. During our research we learned that issues often arise early in the software development or container assembly portion of the build process, so we cover much more than merely runtime security – the focus of most container security research. We also discovered that operations teams struggle with getting control over containers, so we also cover a number of questions regarding monitoring, auditing, and management.
To give you a flavor for the content, we cover the following:
IT and Security teams lack visibility into containers and have trouble validating them – both before placing them into production, and when running in production. Their peers on the development team are often disinterested in security, and cannot be bothered to provide reports and metrics. This is essentially the same problem we have for application security in general: the people responsible for the code are not incentivized to make security their problem, and the people who need to know what’s going on lack visibility.
Containers are scaring the hell out of security pros because of their lack of transparency. The burden of securing containers falls across Development, Operations, and Security teams – but these groups are not always certain how to tackle the issues. This research is intended to aid security practitioners, developers, and IT operations teams in selecting container security tools and approaches. We will not go into great detail on how to secure apps in general here – we are limiting ourselves to build, container management, deployment, platform, and runtime security issues that arise with the use of containers. We will focus on Docker as the dominant container model, but the vast majority of our security recommendations also apply to Cloud Foundry, Rocket, Google Pods, and the like.
If you worry about container security this is a good primer on all aspects of how code is built, bundled, containerized, and deployed. We would like to thank Aqua Security for licensing this research and participating in some of our initial discussions. As always, we welcome comments and suggestions. If you have questions, please feel free to email us, info at securosis.com.