Containers are clearly appealing for companies and development teams who want to deliver and iterate on their software faster and efficiently. This is achieved through more consistent, simple and repeatable deployments, rapid rollback, and simpler ways of orchestrating and scaling distributed applications.
The survey shows however that security is relevant to organizations looking to deploy containerized applications. Though the question is referred to as "concerns," we believe that security is relevant to containerization in both positive and negative senses - how do containers both introduce, but also solve common security challenges?
There are many myths about container security. Though there have been demonstrated exploits of people, for instance breaking out of containers, or attacking container daemons in various ways, we believe containers are a net benefit for security minded organizations. Containerized applications offer us tens of different ways to introduce new security approaches, which reduce attack vectors and minimize attack surface areas.
Organizations need a lot of education, first to put some myths to bed, and then to educate on how to achieve container security optimally.
There are many approaches that teams can bring to the table to maximize security in a containerized environment:
Least Privilege. By default, containers add layers of protection and sandboxing around a process. These protections ensure that processes are not allowed to interact with other processes, or the underlying host operating system, in any way other than explicitly allowed. By default, container platforms are locked down, but there can be additional restrictions applied at the time you start the daemon or container.
Reducing Attack Surface. Both containers and other pieces of the platform, such as the daemon or orchestrator, should also be configured with the minimal possible scope for attack.
Container Registry. Companies want to ensure that rogue, untested or unlicensed software is not entering the organization. To achieve this, companies will deploy an enterprise private registry as a central store of containers. These containers can then be validated, scanned, and configured with the proper access controls to ensure a single source of the truth.
Container Signing. Container orchestration platforms will integrate container signing mechanisms to ensure that we only run trusted code inside the organization's boundaries.
The survey shows 88% of people have some concern about the security of containers. Hopefully, this short article has made the case that there are many myths leading to these concerns, and many options in how you deploy your container platform for adding security into your environment.
Want to learn more about DevSecOps?
This blog is one of seven in a series, providing expert commentary and analysis on the results from Sonatype's 2017 DevSecOps Community Survey. For access to all the blogs in this series and the survey report, please visit: www.Sonatype.com/2017survey.
Benjamin Wootton (@benjaminwootton) is the co-founder and CTO of Contino, and is a guest blogger for Sonatype's 2017 DevSecOps Community Survey.