Cloud-native software development is a driving force because it empowers teams to build and deploy applications at speed and scale. Along with microservices, cloud infrastructure, and API’s, containers are a crucial part of this development process. Let’s look at the security implications of containers in cloud-native application development and how to manage the security challenges they pose.
What are containers?
A container is known as a standard package of software. It bundles an application’s code together with the related configuration files and libraries, and with the dependencies required for the application to run. This allows you to deploy cloud-native applications seamlessly across public, hybrid, or private cloud environments.
For example, just as shipping industries use physical containers to isolate different cargos—for example, to transport in ships and trains regardless of the cargo inside—containers also work in this way as they help us ship self-contained units of software.
In the same way, where shipping containers come from and what they contain has a direct impact on the security of your port. It’s imperative that security controls be implemented across the development pipeline to ensure that what goes in a container is validated, and that code integrity is maintained throughout.
What security challenges do containers pose?
75% of container images contain security threats that are considered of “high” or “critical” severity*. Images deployed with these threats significantly increase the risk of your runtime environment being attacked by a malicious hacker.
Containers pose a variety of threats, including:
-
Known Vulnerabilities (Common Vulnerabilities and Exposures): These are publicly disclosed security bugs, typically found and logged by users or reported by security researchers to the National Vulnerability Database (NVD). And because these known vulnerabilities are public, they pose the most risk and are the most important to address. As mentioned earlier, images contain vulnerabilities. If images are not scanned before being deployed to production, they greatly increase the risk of a runtime attack.
-
Infrastructure as Code (IaC) file issues: Containers blur the line between application and infrastructure. Containers are created from a configuration file such as a Dockerfile and include packages that need to be configured to meet the need of your cloud infrastructure. If your controls are not properly configured, your containers will be at risk of a security breach.
-
Hardcoded Secrets: Secrets, such as private keys or passwords, are often needed for a container to access services or data. It's unfortunately common for developers to include the value of the secret in the container definition, where it can be read by anyone with access to the container image or Dockerfile, rather than using appropriate secrets management tools. Once the secret is exposed, attackers or unauthorized users can gain access to protected services and resources, as well as sensitive information in tools or applications.
As you can see, securing containers requires a shift left security approach, process, and strategy, with security scanning moving as early in the software development life cycle (SDLC) as possible. Vulnerabilities found earlier in development are much easier and cheaper to fix.
Security must be built into containers through secure coding practices. Failing to eliminate threats in container images before they are deployed will significantly increase the risk of a runtime attack in your cloud-native environment.
For more in-depth information on the security challenges that containers pose, here are the 4 Categories of Container Security Vulnerabilities (& Best Practices to Reduce Risk).
How to secure containers
To secure the containers in your cloud-native application development, you need a fast, simple and accurate way to secure container artifacts before production. As mentioned earlier, since 75% of container images contain security threats*, it's imperative that you eliminate these threats before deployment.
To do this, first you need to make sure your container is secure from the start (learn how to do this in Part 1 of our Cloud-native Application Development Series) then you should scan, find, and fix vulnerabilities in images before they are shipped to production.
Taking a preventive approach to cloud-native application security by securing container targets earlier in the SDLC will save you time because you can catch problems before they become a fire drill. Scanning early in the development process offers you additional context into vulnerabilities, making it the most convenient time to fix security issues.
How does Veracode help?
Veracode Container Security is a powerful continuous integration / continuous delivery (CI/CD) pipeline scan solution. It empowers you to integrate security into your existing workflow without causing disruption so you can secure your containers as they are being built. The intuitive command line interface (CLI) commands make it easy to scan, find and fix known vulnerabilities, IaC file issues, and hardcoded secrets in your container images, repositories, directories, and archives - before workloads are shipped to production. You can also generate, manage and share SBOMs in CycloneDX and SPDX to meet compliance, build trust and strengthen the security of your software supply chain.
Veracode empowers you to confidently build and deploy secure containers with ease, increasing the velocity at which you can continue to secure your cloud-native application development process.
In addition, Veracode Container Security can be used in conjunction with the Veracode Continuous Software Security Platform which empowers you to secure your cloud-native application development with just one solution. By adding static and dynamic scans as well as software composition analysis, you can deeply strengthen your security posture and reduce risk across your cloud-native application development.
You don’t have to take our word for it, see what developers are saying about Veracode Container Security:
"I felt like this was pretty easy to get going. My initial testing has been on a Windows 10 machine using Alpine inside of WSL. Getting the Veracode CLI setup was simple. The instructions on generating API credentials mirror that of utilizing the Static Scan via CI/CD pipelines, so that was also very simple.
I was able to test my first scan on one of our production images which was, once again, super simple. The commands in the Veracode CLI are simple and easily understandable.
The scan was quick and the different output options are nice. Using the pretty print and table formatting make the results easily readable at a summary level."
- Adam Taylor, Director or Software Development at LiT Technology Solutions
If you are interested in learning more about Veracode Container Security, click here. If you would like to chat with us and see how Veracode makes it easy to secure your cloud native application development, click here.
* Source: Cloud‑Native Security and Usage 2022 Report