The CyberEdge Group recently published its sixth annual Cyberthreat Defense Report that includes a variety of interesting findings from a vendor-agnostic survey of IT security decision-makers and practitioners. Among its conclusions, the report’s authors carefully identify the areas of security that need the most “proactive attention and investment.” Container security was, for the second year in a row, one of the areas they focused their advice, in large part because survey respondents identified containers as the IT component they felt least able to defend against cyberthreats.
Container security has not kept pace with the rapid adoption of cloud native architectures and container infrastructure and, as a result, application containers continue to be among the weakest links in organizations’ defenses. Clearly recognizing the potential security risk, respondents also cited containers as the leading technology they plan to acquire.
A Strategic Approach to Container Security
According to the sixth annual Cyberthreat Defense Report, organizations need to take a more strategic approach to container security to bring their defenses to the next level. The reliance on tactical security efforts that emphasize vulnerability scanning constricts DevOps teams’ abilities to realize many of the gains cloud native architectures and containers deliver, including more efficient application updates and deployments, improved resource utilization, and scalability.
Looking at the common security gaps in respondents’ container stacks, the “next level” capabilities that teams need to look for in a container security platform are:
- Context-based prioritization of all vulnerability and configuration findings: In short, CVEs aren’t enough. The same vulnerability poses a higher risk in a publicly exposed production service than in an isolated development container. The ability to weave together a broad set of declarative information from your container orchestrator to stack-rank an organization’s riskiest deployments is critical. Without this context, teams will not be able to ascertain what assets need immediate attention and why. Think of this issue as the Equifax problem — everyone knew STRUTS was a key vulnerability. The team there just didn’t have the information to know that THIS instance of STRUTS was putting them at higher risk than other instances. Having this context can only be achieved with a container security solution that is both container native and Kubernetes native — much of the information informing risk prioritization depends on a container security solution that integrates deeply with the Kubernetes platform.
- Threat/anomaly detection that automatically accounts for changing application behavior: Most container security platforms take an initial snapshot of an environment and then alert on future anomalies. This approach falls far short and leads to alert fatigue. When a security tool flags subsequent application changes — which happens frequently in containerized environments — teams will be left chasing false positives, opening the potential for missed vulnerabilities, delayed development timelines and even stalled operations. Solutions that leverage behavior modeling, particularly for detection during the runtime phase of the container life cycle, will track how application behavior changes over time and so can cut down on false alarms associated with simple application changes.
- Continuous posture improvement through automated, cross-phase sharing of security information: The process of Continuous Integration and Continuous Deployment (CI/CD) has become the de facto standard for software development, driven by the adoption of DevOps principles, to generate more flexible, secure and agile applications and infrastructure. CI/CD is at the heart of DevOps, and an effective container security solution should use these principles to continuously improve the security posture of an environment. The ability to leverage information learned during build and deploy phases of the container life cycle to inform alerts during runtime is critical in “next level” container security. Similarly, runtime data, including exploits detected, should be used to adjust configurations for subsequent build and deploy phases. This continuous hardening is key to consistently and constantly improving container and Kubernetes security postures.
Bringing It All Together: Aligning DevOps and Security
Supporting these three capabilities is essential for container security tools to provide the full set of functionality needed to protect containerized environments. But those features aren’t enough — organizations must also foster collaboration and alignment between DevOps and security teams to fully realize the advantages of container security.
“Next level” container security solutions must seamlessly integrate into the organization’s DevOps practices and tools, including integration with CI/CD systems, deployment tools, container registries, and other security products. They must also leverage the native controls in the cloud native development stack — particularly in Kubernetes — to enable robust, scalable security and ensure DevOps and security teams share a common source of truth about the security policies in place. Shifting IT workflow and integrating the tools needed to bring security earlier into the DevOps processes will accelerate transformation initiatives, improve application development and unlock new operational efficiencies.