Organizations face numerous primary threats and security concerns when it comes to their container environments. Those issues extend into their build environment, an area which organizations need to protect because it’s usually the least secure aspect of their container infrastructure. They also extend into other areas, including inside the containers themselves.
Acknowledging that exposure, organizations should test the code and supplementary components that will execute within containers. Various security features for the software supply chain have arisen since 2017. So too have third-party vendors begun helping to validate container content before and after deployment. These outside tools supplement the process controls and digital signing services offered by base container management platforms with different types of capabilities like static code analysis and known malware signature checks.
Here are six methods in particular that organizations need to make sure they incorporate into their container security testing and validation processes.
Container Validation and Security TestingOrganizations must refrain from running container processes as root, as doing so would provide attackers all-too-easy access to the underlying kernel. They could then leverage that access as a direct path to target other containers and the Docker engine itself. To prevent these threats, companies should use specific ID mappings with restricted permissions for each container class. This will be an ongoing process, as roles and permissions do change over time.
Security Unit TestsUnit tests are a useful tool for container security. Organizations can run them against specific modules of code without needing to build the entire product for every test case. Overtime, they can help prevent vulnerabilities from creeping into the containers’ code, especially if those tests are implemented during the build process.
Code AnalysisCompanies should implement some form of code scanning to make sure the code inside the containers are secure. They can do (Read more...)