Presented by Orca Security
Modern architectures like containers and Kubernetes offer both huge benefits and unique challenges. In this VB Spotlight, learn how to keep your applications secure throughout the dev cycle, the tools and platforms essential for stronger security and compliance and more!
By 2027, 90% of global organizations will be running containerized applications in production — an Olympic-sized jump from less than 40% in 2021. Containers are far more lightweight than virtual machines (VMs), letting developers virtualize at the operating system (OS) level, while orchestrators like Kubernetes run containers at scale. Software can be developed and deployed faster and more efficiently, at greater scale, but they also offer brand new challenges in every step of the development cycle. Best practices for building and running secure containers are emerging, from secure base images to patching vulnerabilities to secrets management and more.
In this VB Spotlight event, industry experts Neil Carpenter, principal technical evangelist at Orca Security and Jason Patterson, senior partner solutions architect with Amazon Web Services discuss why security and development have to go hand-in-hand in a containers-and-Kubernetes world, how to make that dream come true with the ideal DevSecOps journey, and more.
The security challenges of containers and Kubernetes
Containers are processes running on a Linux machine, contained through the kernel (far different from the traditional VM, Patterson explains, which runs within the operating system of the host machine).
“They started to use this technology within containers to segment out processes within the OS to protect them,” he explains. “As they started to develop this technology, they implemented other kernel controls, such as cgroups, and then they also implemented namespaces. It’s a way of locking down a process and restricting it within the operating system.”
But security challenges in containers and Kubernetes are very similar to old-school VM security issues, Carpenter says. If there’s a remote code execution vulnerability in Tomcat, it doesn’t matter if it’s running on VMs in the data center or on AWS — an attacker can execute code, maintain persistence and more.
“What is foundationally different is how I find that vulnerability,” he explains. “We have to go through this whole continuous integration, continuous delivery, CICD process where we build the image, test the image, ship the image and deploy the containers based on it.”
That means the same problems require different approaches, different solutions, even different constituencies involved. But traditional vulnerability management tools and security tools don’t work well with containers, making it much harder to manage vulnerabilities in production.
Every container is a copy of an underlying image, and if there are one hundred running containers with a remote code execution vulnerability, security can’t simply go patch all those containers. It requires IT to step in and fix the underlying image, then retest and reship it, as well as redeploy all the containers based on top of it.
Why security needs to embrace a DevOps approach
DevOps, which is heavily focused on automation, has significantly accelerated development and delivery processes, making the production cycle lightning fast, leaving traditional security methods lagging behind, Carpenter says.
“From a security perspective, the only way we get ahead of that is if we become part of that process,” he says. “Instead of checking everything at the point it’s deployed or after deployment, applying our policies, looking for problems, we embed that into the delivery pipeline and start checking security policy in an automated fashion at the time somebody writes source code, or the time they build a container image or ship that container image, in the same way developers today are very used to, in their pipelines.”
It’s “shift left security,” or taking security policies and automating them in the pipeline to unearth problems before they get to production. It has the advantage of speeding up security testing and enables security teams to keep up with the efficient DevOps teams.
“The more things we can fix early, the less we have to worry about in production and the more we can find new, emerging issues, more important issues, and we can deal with higher order problems inside the security team,” he says.
It’s not a linear process, he adds, because it’s a matter of continuously refining and fixing.
Automating security in CICD pipelines
You can build in security from the very start, Patterson says, ensuring that the file figuration is secure. That includes not running as root, which can give attackers access to root on the running machine; ensuring there are no world writable files, because even with restricted privileges, an attacker could still execute privilege escalation.
The base image is the foundation to build upon for source code, additional apps or changes to the operating system, to ensure the application will execute within the Kubernetes environment.
“That base image is key to making sure that you’re deploying the least amount of data, least amount of services and libraries that you need to execute your application,” he explains. “You want to use a base image that is designed for containers, that is stripped down, and has just the bare minimum in it. Then you want to make sure, that you’re looking for SUID programs or other world writable programs and stuff like that.”
You can use custom checks to make sure that the container image doesn’t have vulnerable libraries, or that the application’s source code is not vulnerable.
“As you go through the code commits to your code repository, your code build is going to pull down and develop that image or compile that image and push it to an ECR container registry,” he says. “That’s when, typically, in the Amazon world, you’ll start doing the scanning, looking for vulnerabilities, and detecting issues with the container. When you use tools like Orca, you can get involved a little sooner in that process and take additional steps in that process to help secure your containers.”
For a granular look at container and Kubernetes security, from overcoming common challenges like misconfigurations and secrets management to best practices for building a secure environment, establishing collaboration between IT and security, and more, don’t miss this VB Spotlight.
- Security measures for every stage of the application development lifecycle
- Best practices for building and running secure containers — from secure base images to patching vulnerabilities to secrets management
- IaC scanning to detect misconfigurations in Dockerfiles and Kubernetes deployment YAMLs
- What an ideal DevSecOps journey should look like
- The tools and platforms that support stronger security and compliance
- Neil Carpenter, Principal Technical Evangelist, Orca Security
- Jason Patterson, Sr. Partner Solutions Architect, Amazon Web Services
- Louis Columbus, Moderator, VentureBeat