TechNews- Containers are a small, fast, and easy-to-set-up way to deploy and run software across different computing environments. By holding an application’s complete runtime environment, including libraries, binaries, and configuration files, platform and infrastructure are abstracted, allowing the application to run more or less anywhere. Containers are available from all the major cloud providers as well as in on-premises data centers and hybrid clouds. Plus, they can save companies a lot of money.
“There’s some implicit level of trust there that may or may not be warranted,” says Robert Huber, chief security and strategy officer at Eastwind Networks. A container image is a convenient packaging of ready-to-go code, but providers might not have the time or interest in monitoring for security issues or publishing release notes, he says.
“Ideally, you have a process to check the versioning, but I haven’t seen any organization that does that,” Huber says. “Companies should continuously check that the latest versions of the containers are the ones that are being used, and that all the code is patched and up to date. But right now, it comes down to the developer, and a manual check. I do believe that organizations will move to some process that’s more automated, but right now there’s a gap. It’s fire and forget it. You pull a container, run it, and you’re done.”
It’s not much better when developers build their own containers. The speed of development means that there’s no time for quality assurance or security testing. By the time someone notices that the containers are there, they’ve done their job and are gone.
“The lifecycle might be over by the time the security team can go in,” says Bo Lane, head of solution architecture at Kudelski Security. “That’s the challenge, and it requires a different mindset for security.”
Security awareness needs to be built in early in the development process, he says, and automated as much as possible. For example, if developers are downloading an image from an external source, it needs to be scanned for vulnerabilities, unpatched code, and other potential issues before the container goes live. “And once that container goes live, how do they maintain and monitor the state of its security for something that’s potentially very short lived, and interacts with other components?” he asks.