An effective container security policy relies on vulnerability management. Securing your container ecosystem means considering the development pipeline, as well as the applications and services deployed through that pipeline, throughout the lifecycle: from development and build, through to production. Any strategy to properly address container vulnerability management must consider orchestration, hosts, and platforms.
Vulnerability management is essential for container security
Container images are built in layers, the base operating system being the foundation. Each layer is dependent on the layer beneath it, and it is best practice to arrange the layers with the greatest change toward the top of the stack to minimize the number of components requiring an update in each release.
It’s common for container images to become large over time with the addition of new libraries, agents, and configuration items that accompany each update, and that increased volume makes the scanning of images for vulnerabilities more complex and time consuming.
Containerized application vulnerabilities
Containerized applications can contain exploitable vulnerabilities, and those vulnerabilities can persist in lower layers of an image with infrequent change and insufficient scanning. Images held in popular registries are not immune.
Cybercriminals use a variety of techniques to encourage user download of malicious images, making it imperative for all organizations using container technology to adopt appropriate controls around their use of images. Processes to identify and patch vulnerabilities are essential to prevent exploitation.
Image scanning: The scanning of container images for vulnerabilities is important because many are downloaded from remote sources and contain open source components, or those of unknown provenance. Routine inspection of every new image should be business as usual, particularly as new vulnerabilities are being discovered every day.
Management tools: Scanning software designed to inspect containers, hosts, cloud services, and APIs will address host vulnerabilities and misconfiguration, as well as excessive permissions and exposed secrets.
Management information: Reporting output should include component metadata, and vulnerability information associated with that component.
Put security with the developers: Shift-Left methodology dictates the scanning of all images (and underlying components) as early as possible in the development lifecycle. Any image downloaded from a public registry should be scanned on download, and components should be scanned prior to inclusion in a container image.
Vulnerability management in the pipeline: CI/CD pipelines should include vulnerability scanning of built container images to assure the integrity of deployments.
A continuous process: Re-scanning of images should be undertaken periodically, and by default after each release, to ensure they remain free of vulnerabilities.
Managing container vulnerabilities
If vulnerabilities are identified following scanning, the resulting risks can be mitigated or reduced in several ways. The initial assessment should record a severity score against the vulnerability to establish the threat it represents, ideally expressed in terms of likelihood and impact potential. It’s also important to formalize a plan and timeline to address and remediate the vulnerability. Efficient management of container vulnerabilities includes taking steps to:
Attribute Vulnerabilities: Map vulnerabilities to containers for visibility and efficient distribution of mitigation effort.
Reduce the attack surface: Uninstall or remove unused components from the container runtime, particularly in lower image layers that may have become unnecessary or have been superseded by more recent developments.
Keep software components up to date: Consider upgrading a component if a new version is available. Security issues in third-party code are unlikely to be unique to your organization and may have been fixed by new releases.
Limit access to approved images and image registries only: Using a defined set of approved container images makes monitoring for vulnerabilities easier, and restricting container registry access mitigates the risks associated with unknown vulnerabilities of unknown origin. Adopt tools and processes that ensure adherence to that edict. Image signing and fingerprinting can also be used to verify container integrity.
Use least privilege in runtime: The principle of least privilege should be enforced as a best practice. An exploit will typically afford an attacker the same privileges as the application or process exploited, and therefore ensuring all applications and processes run with the minimum permissions necessary to complete their tasks mitigates the consequences of any exploit.
Whitelist files: Limiting access to specific files ensures your containers can only access and execute the binaries you define. In addition to promoting stability in the container environment, this will also limit exposure to risk in the event of a successful exploit.
Simplifying container vulnerability management
Selecting a container security platform reduces risk in containerized environments across the software development lifecycle by identifying vulnerabilities, establishing severity, and assisting in the prioritization of remediation activities. Scan all file types across all container registries against a single security policy.
By scanning container images in the CI/CD pipeline prior to deployment to the registry, vulnerabilities and exposed secrets can be identified and mitigated before any associated risks occur. Regular scans of container registries complement this by ensuring no vulnerabilities have been introduced prior to deployment to a runtime environment. Finally, ongoing scanning of images at runtime ensures that container security vulnerabilities, exposed secrets, malware, and misconfiguration, are identified as quickly as possible.