Container security: the foundation of true cybersecurity

When ocean shipping companies began using newly invented truck-sized containers for cargo in 1956, the emerging standard eliminated manual loading and —nearly overnight—created huge bottom-line savings and efficiencies that still shape the global economy today. Within just a couple years, the switch to “containerisation” brought down shipping costs from $5.86 per ton to an astonishing 16 cents. Standardised steel containers also kept goods separate and secure in their long transits between ports of call.

Today, the same general concept is gaining traction in an entirely different industry—software. So-called software “containers”—comprised of applications or pieces of applications—have become the new building blocks of digital products in every market you can imagine.  Just as shipping containers arrive in port and have to be inspected, so must digital containers, with their software payloads that must be examined for security flaws before they are released, to prevent a vulnerability that hackers can exploit.

In an era when the Internet has become the primary turf for reaching and selling to customers, and when the Internet of Things has made the typical enterprise exponentially more complex to manage, businesses are accelerating the process of software development and rollout for competitive advantage—to much more rapidly create new business models and ecosystems, products and services. Amazon engineers release code on average, every 12 seconds. Netflix, similarly, releases code thousands of times every day.

This frenetic build-out has raised the bar on complexity, as IT organisations are being re-built using a fast-growing discipline, called DevOps, to help them scale their digital operations. With IoT, mobile and cloud technologies enmeshed into every element of the enterprise, one major consequence is security has become increasingly complex. For just about every company, the “attack surface” —for hackers to exploit, penetrate and plunder data—has expanded exponentially as well. Meanwhile, computing has become a utility like electricity, no longer fixed but elastic in that it can be scaled in milliseconds by a few keystrokes or entirely through automation.

All of this sharply contrasts with how things looked a decade or so ago when companies guarded their networks with firewalls that established a digital moat to prevent intruders from penetrating and stealing data. Companies were also able to keep tabs on what computing assets they had and where they were.

Today, there is no real perimeter. Amazon, Microsoft, and Google, arguably, operate much of a typical company’s infrastructure. Data centres are now distributed and typical Fortune 1000 companies manage anywhere between 60 and 80 different security technologies, which means they have 60 to 80 platforms to log into. That’s enough to cause an ulcer for any CSO.

The mad dash to digital has left some gaping security holes—typically because protection gets baked in late in the game in these fast-paced software build outs. In an era when people push code around the clock, businesses need a security counterweight to all that chaos. More simply, it’s akin to building a home and installing a thermostat to monitor temperature and other control systems to look after the entire environment.

Container security is shored up by putting in place vulnerability and malware detection, container inspection, continuous monitoring, and making sure every container reaching production status is secure and compliant with enterprise policy. What’s more, it’s also necessary to make sure a business has good visibility into its cloud computing platforms so they can understand their vulnerabilities.

In order to do container security well, you need to focus on three fundamental objectives:

1. Provide Deeper Analysis

First, providing a deeper and more rigorous analysis to check for things like OS and library vulnerabilities is key to container security. This is because a vulnerability in a shared OS kernel can provide a potential way out of a compromised container. Containers require a higher level of rigor because active scans can miss most vulnerabilities. On top of that, containers typically don’t include the SSH daemon, so credentialed scans don’t work with most containers. Microservices and containers can introduce hundreds of endpoints and erode the visibility of security risks. Security teams should adopt solutions that allow for continuous monitoring -- and monitor container images for vulnerabilities during development and before deployment.  

The use of open source code in the software supply chain also introduces standard supply chain risks. By integrating deeper analysis into the software development lifecycle or DevOps toolchain, organisations are able to leverage deeper analysis to catch security risks before software is deployed to production environments -- often preventing breaches before they happen.

2. Improve Inspection Speed

Improving inspection speed is also key, so that developers don’t have long wait times to get code into production. Application security assessments need to move in lockstep with the engineers developing the applications. In traditional waterfall environments, it was acceptable to wait 30-days for an application security assessment to complete, because software was released on an infrequent schedule. However, with organisations who embrace DevOps releasing code (software) multiple times a day, those same security assessments need to happen multiple times a day. Instead of security tests taking weeks, security tests need to start and complete, within the bounds of a normal application build process. Nowadays, enterprise application compile times are measured in minutes -- meaning the security tests should also be measured in minutes and shouldn’t inflate the build times too dramatically.

3. Make Your System Scalable

Lastly, larger organisations need to build scalable security for their containers. For organisations with large development teams, this means moving security into the development pipeline for real-time security auditing. Security is baked into containers before they are ever deployed onto networks so that the system can easily be scaled.

Most intruders look for vulnerabilities to exploit because they know most companies don’t keep up with their updating their software with the latest fixes. And if software updates or patches are not in place, that means there’s a door left open. It’s important to remember that security is like managing any other form of risk or other aspect of a company’s operations. Most companies have no idea about their technology profile and hence no idea where they’re exposed – we call this the Cyber Exposure gap and it includes their exposure in the containers spread across their digital enterprise.

The road ahead is paved with software to create this new digital megalopolis. Firms that recognise and seek to understand their exposure and that have a thoughtful process in place to methodically understand and reduce risk will leave their competitors in the dust. Those that look the other way, or that aren’t getting ahead of software security issues now, will join the long list of organisations--Equifax, Target, Yahoo!--that will likely pay a hefty price.  

Anthony Bettini, Senior Director of Software Engineering, Tenable
Image Credit: Den Rise / Shutterstock