Container Security: Examining Potential Threats to the Container Environment

Containers have become one of the most essential technologies in DevOps and are often used by companies for development, testing, packaging and deployment of applications. Containers can increase the speed and efficiency of the development process while maintaining consistency across the board, they can also expose organizations to potential risks without sufficient security controls. However, the increasingly widespread adoption of container technologies also means an ever increasing need to secure them from the wide range of potential threats at each stage of the development pipeline.

The infographic shown here illustrates these threats and risks in zones that correspond to different stages of the pipeline. Many of them are specific to certain zones, for example, images containing vulnerabilities can primarily be found at the image development stage of the process while specific vulnerabilities affect only certain components. There are also certain commonalities across most zones — such as mismanaged credentials and security settings — that can potentially be harmful during the whole process.

Best practices to defend against container threats

The use of containers can increase the speed and efficiency of the development process while maintaining consistency across the board, but they can also expose organizations to potential risks. That’s why, for any organization that uses container technology, security should always be a top priority. By adopting a risk-based security approach that covers as much of the development process as possible, companies can help ensure that their exposure to threats is reduced.

By implementing the following recommendations and adopting a security by design stance, companies can mitigate risks to their containers and related resources and lessen any potential impact they face from these threats:

• Docker can make use of a Linux feature called user namespace which, when enabled, allows for container isolation by limiting container access to system resources. Setting applications to run as regular users can stop privilege escalation attacks from accessing the critical parts of the container.
• Mandatory access control (MAC) tools such as SELinux (Security-Enhanced Linux) and AppArmor can help prevent attacks that compromise application and system services by limiting access to files and network resources.
• Minimizing the use of third-party software and using verifiable ones ensure malicious software is not inadvertently introduced to the container environment.
• Mounting the host's root file system in read-only mode will restrict write access for applications, limiting the chances of an attacker being able to introduce malicious elements to the container.
• Scanning images in the repository can help determine whether they contain any vulnerabilities or are not configured properly.
• Deploying an application firewall enhances the security of the container and helps catch threats before they can enter the environment.
• Prevent vulnerability exploitation by using tools such as Clair, which provides static analysis for containers.
• The UNIX socket is a two-way communication mechanism that allows the host to communicate with the containers. Disabling this socket can thwart attacks that exploit it — for example, an attacker abusing the API from inside a container.
• Using different databases for each application allows for more efficient management and greater visibility into every individual application.
• Using the integrated firewall for the Docker virtual network, especially for TCP API control, can filter external attacks.
• Regularly updating the host operating system and the kernel to the latest security updates can prevent exploitation of vulnerabilities that exist in older software versions.

Trend Micro Solutions

Trend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend Micro^TM Hybrid Cloud Security solution provides powerful, streamlined, and automated security within the organization's development pipeline for runtime physical, virtual, and cloud workloads via XGen^TM threat defense technology. It is powered by the Cloud One™ SaaS platform, which provides organizations a single-pane-of-glass look at their hybrid cloud environments and real-time security through its Network Security, Workload Security, Container Security, Application Security, File Storage Security, and Conformity services. Learn more about secure cloud-native application development. For organizations looking for runtime workload, container image, and file and object storage security as software, Deep Security^TM and Deep Security Smart Check scan workloads and container images for malware and vulnerabilities at any interval in the development pipeline to prevent threats before workloads and container images are deployed.