Why Container Security Has No Easy Answers
VMware sponsored this podcast.
There are many opinions out there about what your organization must do — or buy — to make sure container environments are secure. But taking a step back, containers stand on the shoulders of open source, and the security and compliance processes that teams have learned during the past decades remain applicable in many instances.
At the same time, container security has its own set of rules and best practices that are often less than apparent. Worse still, much of the confusion around open source security remains, further compounding the challenges.
“If I look at the container environment, we’re kind of back in the bad old days where the container Docker file may have a license, but almost always it is not the license for all of the software that is included in the container, which usually contains many components,” Dirk Hohndel, vice president and chief open source officer at VMware, said. The quintessential question, Hohndel says, is how do you find secure containers and “ensure that the one that you have is actually secure?”
In this latest episode of The New Stack Makers podcast, host Alex Williams discusses the status of compliance and security now that containers are becoming such a core part of open infrastructure. He is joined by VMware’s Hohndel and Andrew Wilson, a long-time chief open source compliance officer at Intel.
Wilson leveraged his deep experience on the topic to show how the historic background, as well as many of open source security’s shortcomings, continues to plague container security as well.
“I always came across the widespread misconception that open source and public domain were the same thing. Or if there is no explicit copyright notice on this piece of code, then it must be public domain and therefore, I can do anything that I want with it and there are no compliance issues — And that’s just plain wrong… You really should assume that any piece of code that you find is copyrighted by someone,” Wilson said. “Your requirements from that license might be very minimal and that permissive licenses or they might be maximal and they might be defined by something like the GPL family of licenses, which have some obscure corner cases.”
For containers, it is very often standard practice to download binaries from Docker Hub, “and then possibly add layers on top of them and run them in the production environment,” Hohndel said. “And there is very little in this infrastructure that helps you identify what is the actual content of those binaries.”
“Do I know what’s inside the container or if there are any backdoors or if there is any spyware in it?” Hohndel said. These questions “typically don’t get answered in the container environment and that’s really why I’ve been trying to talk about this topic for a couple of years now.”
Feature image via Pixabay.