In the chain of events that defines the modern evolutionary path of the application — a path that now includes microservices, persistent containers, orchestrators, monitors, and “kubelets” — when does the security part begin? We’ve talked in recent years about “baking security into” applications. But now that hyperscale applications are becoming, by definition, aggregates of correlated functions, there’s no longer a single “baking” process, if you will.
So the issue of containerization security shifts back to where it began in 2014, with the question of whether a secure system can compensate for insecure communication.
“There’s a lot more responsibility that’s on the developer, or at least in the developer’s workflow, to secure that application,” said John Morello, chief technology officer for container security platform provider Twistlock, speaking on this latest episode of The New Stack Makers podcast, in an interview done for our upcoming eBook, “The State of the Kubernetes Ecosystem.”
Because unlike that world of [virtual machines] in which you may deploy WordPress out there one day, and then your operations team is going to scan that environment with Nessus or Qualys or a tool such as that, and find some vulnerabilities, then SSH into that VM and update the components in that VM… in the new world of containers, your developers need to know that, because your developers need to recreate the images that are vulnerable. And then they need to deploy those new images to replace whatever’s out there.”
In This Edition:
2:20: How the components of distributed systems should interact with users and each other.
5:08: Making sure the right people are integrated into the process at the right time.
9:24: What has to change for an organization that has adopted a CI/CD infrastructure?
18:12: The reality of operational tools and practices used when securing containers.
21:19: The process of developing non-vulnerable code from the very beginning and enforcing better communication in code.
23:39: Is there anything Kubernetes needs to do to facilitate a stronger security landscape?
Twistlock is a sponsor of The New Stack.