A Look at the Most Common Container Security Concerns

Container Security Concerns
Kubernetes and containers provide users with a mobile, fast, and functional development tool. They run directly on an OS kernel, eliminating many operation headaches. However, security issues often hold containers back from their full potential. This can be resolved with proper management and tools. Also, understanding new threats and vulnerabilities allows users to maintain consistent security.

We chatted with Mark Brooks, Alert Logic’s global VP of solution engineering, to understand how to better manage containers. Alert Logic provides protection to all layers of web applications and the infrastructure stack. Mark provides useful insights into container security and what users can expect moving forward.

Be sure to check out our previous article with Mark Brooks!

Does speed need to be sacrificed for container security?

No. Customers can streamline and simplify delivery with a single workload security solution that uses APIs to integrate with deployments running on public cloud platforms such as AWS, Azure and Google Cloud Platform and in on-premises and hybrid environments.

Vulnerability scan results can be integrated with DevOps tools such as Jira and Jenkins while detection agents and virtual appliances can be automatically deployed through a library of templates for Chef, Puppet, Ansible and AWS CloudFormation. Once a customer has deployed the container agent into their environment, any new or expanded container workloads are automatically discovered. In the event that a customer’s container use is expanding to multiple hosts, the container agent can be built into the deployment orchestration process to eliminate gaps in security visibility.

Is there anything currently being overlooked in container security?

Most container security solutions only focus on log output from the platform and associated applications. While logs are a great source of information, they are ‘after the fact’ and can leave gaps in visibility that could lead to container and application compromise. Not to mention, if compromised, the source of the log is under attacker control, leaving the possibility of corruption and/or deletion. One of the most recent innovations in container security is an agent that deploys in a traditional IDS mode – listening to intra-container traffic and leveraging a detection set that will identify pre and post compromise activity. This is important because depending on configuration and deployment, there can be any number of dark corners where bad actors can hide or mask behaviors. Log output relies primarily on events being written to the system after the event has already occurred. IDS provides visibility to attacks against the container host or application in near real time, even if the activity is not logged by the system.

How can developers stay secure while using a public repository?

Public repositories tend to introduce a long tail of inherited vulnerabilities that increase a customer’s attack surface. DevOps and security teams should run internal and external vulnerability scans and reports to monitor on-premises, hosted and cloud environments with continuous updates to more than 92,000 Common Vulnerabilities and Exposures (CVEs) in software and certain network components.

For example, in AWS environments, CVE scanning is an essential and integral part of leading 3rd party security tools. These tools consume APIs including CloudTrail and IAM and run agentless security scans. Leading tools are pre-authorized by AWS to scan any time, avoiding manual scan permission requests. This level of automation means that the security tools adapt to the customer’s dynamic environment with automatic asset discovery and scanning of new instances within minutes of being added to the environment. Another essential benefit of 3rd party tools in the enhanced visibility users get with a current visual topology map that can pivot by AMI, Instance ID & Type, IP range, Availability Zone, tags, and keywords and the addition of remediation advice.

What new threats do you expect as containers grow in popularity?

We have already witnessed customers being impacted by botnet activity as well as cryptojacking.  There is also the age-old issue of patching. As new vulnerabilities are discovered in any container platform or containerized workload, patches are released to mitigate the vulnerability risks. If developers are not updating to the latest version, unpatched systems become an entry point for command and control as well as data exfiltration.

Perhaps the biggest challenge, however, is a failure to learn from the past. When organizations initially started to embrace virtualized environments, we learned a lot about security and how innovative attackers are. In thinking about how to address container security, it is important to avoid being seduced by faster deployment speeds and reduced costs. Security still matters and failing to address it from the beginning just means you’ll pay a higher bill later in remediation costs and lost productivity in the face of an attack.

Alert Logic solutions combine cloud-based software and innovative analytics with expert services to assess, detect and block threats to applications and other workloads. Protection extends to all layers of a customer’s Web application and infrastructure stack to defend against a broad range of server-side and container threats — including hard-to-detect Web application attacks such as advanced SQL injection, path traversal, cross-site scripting, the use of encoders and obfuscation techniques, as well as advanced malware, command and control, brute force and many others. Designed for cloud and hybrid environments, Alert Logic solutions use API-driven automation and integration with cloud platforms and DevOps tools.