Containers — a lightweight VM alternative — are some of the most widely used cloud technologies associated with DevOps and agile software development today. Much of the hype behind containerization can be attributed to its agility, flexibility, and security.
Still, containers have substantial security concerns and vulnerabilities in many applications . Luckily, container security tools are gaining popularity and helping security professionals tackle the issue.
DevOps triggers rise in container usage
DevOps is an approach to software development rooted in high-speed production, constant communication, and rapid innovation. While many technologies are used by DevOps teams, containers are one of the core technology markets enabling the expansion of DevOps.
Containers are a way to isolate and package code, data, and files into a flexible and secure, resource-isolated unit. They make it easier for developers to package, ship, and pull code as they add and update functionality to their DevOps applications.
Many companies, from AWS to Tesla, are embracing container technology. Docker containers—the second most reviewed container management platform on G2—have been downloaded over 100 billion times, have roughly 750 enterprise customers, and power nearly 6 million apps. Impressively, Docker has maintained its rapid growth despite tech giants like AWS, IBM, Google, and Microsoft entering the market.
"[Docker is an] indispensable tool in the world of DevOps and systems administration," Jennifer A, a development engineer, said of the tool.
Docker has rapidly gained traction because they are incredibly scalable, easy to create, logical to manage, and provide a flexible way to support software-defined networking. It has become a standard for DevOps teams, garnering wide praise on G2. As of September 6, 2019, the product has reviews from nearly 200 individuals, 192 of whom rated the product 4.0 or 5.0 stars.
Unaddressed container security concerns
Containers still have major security concerns that may be putting your company and customers at risk.
Earlier this year, Tripwire conducted a survey that interviewed over 300 security professionals managing containers at midsized and enterprise companies. According to the survey results, 94% of respondents had concerns about containers.
“Over 60% of the top Docker files held a vulnerability that had a [risk score] above 330, and over 20% of the files contained at least one vulnerability that would be considered high risk under Kenna’s scoring model and should be addressed as soon as possible,” Jerry Gamblin, a researcher at Kenna Security, said.
Gamblin launched VulnerableContainers.org earlier this summer; the site provides information related to the 1,000 most popular containers from Docker Hub. Gamblin ran each container through a vulnerability scanner and posted his findings online. The containers with the most vulnerabilities were related to Node.js, DynamoDB, and Rancher. Each container had millions of pulls and over 1,100 open vulnerabilities.
Almost all said they want additional security tools, and nearly half are limiting container production because of security concerns. A number of issues might cause these security risks.
Individual teams and developers have the most control over vulnerabilities related to the container’s internal components. These vulnerabilities are typically the result of internal tagging, packages, and libraries. One small issue, such as a mislabeled image tag, can expose an application to hundreds of vulnerabilities.
Third-party vulnerabilities are another huge concern. These can be discovered using vulnerability scanners, monitoring tools, and other security risk analysis software solutions. They can also be avoided by only pulling verified images, requiring image signature verification, and enforcing strict access control.
The most important component to protect is your host kernel, since containers run on them. For the most part, the container is usually secure and isolated, unless poorly designed or tampered with by internal actors. However, a compromised host system will render native safeguards useless.
The future of container security
Emerging technologies aim to tackle some common security issues associated with containerization. Below are a few examples of innovative software vendors hoping to capitalize on the pressing issue of unsolved container-related vulnerabilities.
Application identities powering zero trust cloud security
Aporeto, a cloud-native security startup, is changing the way teams look at protecting containers in the cloud. Instead of traditional IP address-based approaches, its newest product allows for distributed security policy enforcement at the application level. It’s designed to protect multi-cluster Kubernetes deployments with individual identities and policies for each application or workload.
Traditional cloud security technologies, on the other hand, rely on IP addresses to determine approved and unapproved network connection requests. While this approach may increase the time spent managing and configuring individual firewalls, depending on the range and scale of your disparate applications, it would drastically reduce any time spent managing IP access control lists.
Machine learning and AI for container self-protection
In early August, Sysdig announced new product functionality that allows machine learning-based anomaly detection and runtime profiling enterprise Kubernetes systems. The tool helps DevOps and security teams automate security policy configuration from machine learning algorithms that process file system activities, network behaviors, and system calls.
Additionally, the tool allows automated vulnerability scanning for continuous evaluation of applications, containers, and registry images. These capabilities prevent DevOps teams from putting images containing known vulnerabilities, like those listed on VulnerableContainers.org, into production.
IT monoliths consuming container security startups
Most recently, McAfee announced its acquisition of NanoSec, an application workload protection solution. McAfee said it plans to utilize NanoSec’s underlying technology to simplify policy configuration and network access control within its MVISION Cloud products.
Luckily, the young container security market is expected to grow from $1.5 billion to more than $6 billion over the next five years, according to Grand View Research. Let’s hope this influx of money produces a dynamic and innovative market of solutions to tackle yet another emerging security issue for the evolving world of cloud applications.
As an analyst at G2, Aaron’s research is focused on cloud, application, and network security technologies. As the cybersecurity market continues to explode, Aaron maintains the growing market on G2.com, adding 90+ categories of security technology (and emerging technologies that are added regularly). His exposure to both security vendors and data from security buyers provides a unique perspective that fuels G2’s research reports and content, including pieces focused on trends, market analysis, and acquisitions. In his free time, Aaron enjoys film photography, graphic design, and lizards.