Organizations, from government agencies to financial institutions, are constantly seeking modern technology to optimize operations and benefit the public. Especially in a time where speed is of the essence and information travels fast, being able to operate quickly has become a cornerstone for most software developers. Enter containers: lightweight, standalone packages of software that include everything needed to run an application.
They’re widely used to develop, deploy and maintain web applications in the cloud and offer a fast and portable method of packaging software code. This enables applications to run quickly and reliably across different computing environments. While containers empower organizations to operate fast, they do come with their own set of risks, and container security is a growing concern. In fact, demand to bridge the gap is increasing rapidly, with the global container security market size expected to reach $3.9 billion by 2027.
The risk in containers
Security risks in containers include vulnerabilities introduced through additional software, poorly managed secrets (like Amazon Web Services keys and credentials in Dockerfiles), and security misconfigurations. Malware embedded in container images is also a common threat. In August 2021, Docker, a platform enabling users to develop, share and run applications, discovered five malicious container images with hidden code that exploited the systems of 120,000 users.
Some countries are taking proactive measures to counter security risks with containers. In the U.S., for instance, the General Services Administration’s Data Center and Cloud Optimization Initiative Program Management Office released a Containerisation Readiness Guide to help agencies through container adoption. And in the UK, the Department for Work and Pensions has taken proactive steps by publishing The Security Standard – Containerisation.
Securing containers: A crucial part of cybersecurity
Vulnerability management tools used in traditional models assume that a given server runs the same set of applications consistently. This isn't true with containers. Different applications can be loaded on to different servers, depending on resource availability.
These tools are not equipped to detect vulnerabilities within containerized architectures. As for security teams, the lack of visibility into containers prevents them from easily detecting issues within the code. What's more, containers are rarely scanned for vulnerabilities before being released into production, which could be disastrous if not addressed.
John Smith is the Chief Technology Officer in EMEA, Veracode.
With cyberattacks on the rise, organizations must ensure their container security is up-to-date to prevent compromises. Effective security means taking a proactive approach to testing and analyzing vulnerabilities. As such, organizations should consider deploying on-demand, SaaS-based testing services that provide DevSecOps teams with continuous security analysis baked into the software development life cycle (SDLC) from beginning to end.
Securing containers requires a ‘shift left’ approach so that developers receive remediation advice early in the SDLC, mitigating the risk of sending insecure containers to production. Once in production, containers host cloud-native applications and IT administrators can adjust configurations, which could open up new risks. Therefore, organisations must secure containers from day one and monitor them consistently to ensure potential threats can be identified and fixed immediately.
SBOM for Container Images?
Software security and software supply chain risk management have become increasingly important, especially since the global cyberattack on Solar Winds—one of the largest cybersecurity breaches of the 21st century. This led to the emergence of an essential building block for software security: a Software Bill of Materials (SBOM), which is an inventory of ‘ingredients’ that make up a software artifact. Some developers of container platforms have already implemented commands to generate SBOMs for their container images.
Veracode is keeping a close eye on the progress of SBOMs and emerging standards, such as Supply Chain Levels for Software Artifacts (SLSA). SLSA is a comprehensive security framework that provides checklists of standards and controls used to prevent tampering, improve integrity, and secure packages and infrastructure in projects.
Now, more than ever, container security programs must become an integral part of any DevSecOps strategy. The Veracode State of Software Security (SoSS) 2023 reported that 32 percent of apps contain flaws during the first scan, and that figure increases to 70 percent by the five-year mark. With so much at stake, achieving continuous software security must be a priority for organisations. After all, containers aren’t just a route to greater efficiency and faster development - their security is critical for the safety of society.