Organizations have begun embracing containers due to their simplicity and to the fact that they allow for a faster development and deployment velocity. Although developers are thrilled with containers because they allow them to deliver solutions more quickly, security teams are sometimes cringing. Why? Because they aren’t always sure of those container pipelines are secure.
Enter vulnerability management.
To ensure the security of your development pipeline, as well as the security of the apps produced via that pipeline, you need to implement an effective vulnerability management strategy. You need to secure and protect your container ecosystem – from build to run. You need to protect your pipeline, your containers, and your apps against vulnerabilities throughout the entire container lifecycle – from development to deployment. In addition, you need to ensure that you protect all of your container orchestrators, hosts, and platforms.
In this blog post, we’ll take a look at five ways to manage vulnerabilities in your container environment and in your development pipeline. When you’re ready to take your vulnerability management knowledge to the next level and certify your skills, then check out AZ-500 Exam Preparation: Microsoft Azure Security Technologies. The AZ-500 exam is Microsoft’s new role-based certification program to earn the Microsoft Certified: Azure Security Engineer Associate certification.
Ensure vulnerability management is part of your container development lifecycle
A vulnerability management plan that’s integrated throughout your entire container development lifecycle makes it easier to identify and resolve security concerns before they become serious problems for your organization.
There are several steps that you can take to ensure that you implement a robust vulnerability management solution. For example, you should always be scanning for new vulnerabilities – on a continuous basis. Image vulnerabilities that are identified should be mapped to running containers. You should also ensure that your team is only using approved images and registries in your environment.
Another key step that you can take to manage vulnerabilities is the enforcement of least privileges in runtime. By enforcing least privileges, along with the removal of unneeded privileges, you can reduce your container attack surface. Whitelist files and executables are yet another way to implement vulnerability management in your containers because whitelisting limits what each container is allowed to access or run.
Scan for vulnerabilities
Scanning for new vulnerabilities on a continuous basis is probably the most important step you can take when implementing a vulnerability management strategy because new vulnerabilities are constantly being discovered. By incorporating vulnerability scanning that’s implemented throughout your entire container lifecycle, you can ensure that you catch these new vulnerabilities.
Map image vulnerabilities to running containers
When an image vulnerability is identified, it needs to be mapped to any running containers. Doing so ensures that you can more easily mitigate any security issues that arise
Use only approved images and registries
Deploying tools and processes that ensure your organization only uses approved container images allows you to monitor for, and prevent, the use of unapproved container images that can introduce vulnerabilities into your development and container environment. By leveraging image signing or fingerprinting, you can create a chain of custody that you can rely on to verify the integrity of your containers.
In addition to only allowing approved images, you should also be sure that you only use approved container registries in your environment. By requiring the use of approved container registries only, you can mitigate the possibility of introducing unknown vulnerabilities or security issues into your environment.
Enforce least privileges in runtime
A widely accepted security best practice is the concept of least privileges. This concept of least privileges applies to not only file shares and servers, but also to containers. Generally speaking, when a vulnerability is exploited, the attacker will usually assume access and privileges that are equal to that of the compromised application or process. Locking things down with the least privileges helps ensure that your containers will, in turn, operate with the lowest privileges and access that is required to get the job done. This, as you might have guessed, further limits exposure to trouble.
Similarly, you should also remove any unused or unneeded processes or privileges from the container runtime in order to further reduce the container attack surface.
Whitelist files and executables
Whitelisting files and executables helps maintain a stable environment. Doing so ensures that your containers can access and run only preapproved (e.g., whitelisted) files and executables. In addition to helping maintain a stable environment, whitelisting also helps you limit your exposure to risk.
Summary
Let’s recap. By continuously scanning for new vulnerabilities, you can identify issues before they become major problems. Image vulnerabilities that you identify should be mapped to running containers so that you can more easily mitigate any security issues that arise. Preventing the use of unapproved container images helps prevent you from introducing vulnerabilities into your development and container environment, as does requiring the use of approved container registries only.
Locking things down with least privileges helps ensure that your containers operate with the lowest privileges and access that are required to get the job done. Doing so further limits exposure to trouble. You should also remove unused and unneeded processes or privileges from container runtimes.
Lastly, whitelisting files and executables limits what each container is allowed to access or run.
By following these five recommendations, you can help ensure a more stable environment, while limiting exposure of your containers to threats.
