It's not surprising that 60% of the IT security professionals in a recent survey have experienced security incidents with their container usage over the past year.
But it is somewhat surprising 47% of those security professionals who manage environments with containers responded that they did deploy containers with known vulnerabilities. Maybe the promise of containers is too tempting for some IT professionals to resist. And a majority of them don't have the same IT resources as a large telco.
Tripwire, along with Dimensional Research, conducted a survey of 311 IT security professionals that manage environments with containers with a head count of more than 100 employees. The November survey also found that 94% of the respondents acknowledged they had concerns about container security.
Further, they think those container security woes will get worse, with 71% of the respondents expecting their security incidents to increase this year.
But none of those security problems are slowing down the rate of container deployments. A survey last month by Red Hat found container usage is expected to increase by 89% over the next two years.
"The biggest issues involve concerns around security and ease of use," according to a blog post by Red Hat's Margaret Dawson. "In addition, many IT leaders still have a knowledge gap about what containers are and are not. About half of those who responded said they aren’t sure if containers are secure, and only 42% said that containers are easy to set up.
"I think some of this confusion comes from container vendors and the market. Some would have you believe that all containers are created equal, and that all containers are inherently secure."
Because containers have the bare minimum operating software that's needed to run an application, they can be more efficient than virtual machines while running multiple applications or workloads on the same operating system.
Thanks to Google, Microsoft and Amazon, the use of containers isn't exactly new, but the growing adoption of them by enterprises and service providers should be foundational. Vendors can do more to ease the security concerns around containers while IT and engineering employees need to step up to the plate by going back to the fundamentals.
"Testing, testing, and more testing," said F5 Networks' Lori MacVittie, principal technical evangelist, in an email to FierceTelecom in regard to what needs to be done to make containers more secure. "Apps and images should be scanned for vulnerabilities as a part of the build process. Careful attention to networking and architecture, too, can help reduce the potential of exploitation through isolation and segmentation. Protections at the North/South, East/West boundary can help by enforcing real-time inspection of inbound traffic as can requiring authentication and authorization at an application and/or API level.
"Basically, restrict and inspect traffic inbound to the containerized environment and keep individual containers out of reach. And secure those administrative consoles, please!"
Robert Haynes, who also holds the title of principal technical evangelist at F5 Networks, responded in the same email that he wasn't particularly surprised by the results of the Tripwire survey.
"Containers represent not just a different platform, but frequently a different way of building applications or services and deploying them," he said. "Innovation and disruption are good for business, but often raise security concerns. With container management platforms like Kubernetes, for instance, you need to think about controls for the internal Kubernetes API using admission controllers so that compromised containers can’t run arbitrary commands on the Kubernetes control plane, such as starting a new container using an attacker’s image.
"In addition there will usually be a lot of east-west service-to-service traffic in container environments, but this might bring along with it vulnerabilities that weren’t exposed in more monolithic applications."
One factor that Haynes cited was the speed of deployment that container solutions contribute to.
"In high change environments that embrace continuous delivery, testing and security validation need to be automated into the build-deploy pipeline or fall by the wayside," he said. "Often applications running in containers make extensive use of libraries, but you need to be sure that the libraries you are using haven’t been compromised, such as the event-stream node.js library that was compromised in November 2018 and was subsequently downloaded 2 million times a week until the issue was discovered. "
There's no question development and operations teams' increasing use of containers to speed up the rate of software development and deployments has added complexity for security teams. But not everyone is overly concerned that security issues are a dire threat to the use of containers.
"Like any other modern software, following secure coding best practices including scanning, vulnerability detection and remediation and isolation is the new way of writing code," said Arpit Joshipura, general manager of networking and orchestration for The Linux Foundation. "Containers are no different and most modern software developers and DevOps processes have security built into the software lifecycles."