Containing app vulnerabilities

Published: July 2nd, 2018

The allure of modern software architectures based on containers and microservices are their potential to enable business transformation efforts, but like any new technology, security is a key barrier to widespread implementation. However, new tools and evolving software frameworks promise to tackle that key hurdle.

Shifting from current monolithic software to containerization is compelling because it enables agile development and runtime environments that aren’t tied to specific hardware or platforms. Because containers are lightweight runtime environments that are abstracted from operating systems, VMs and clouds, they pave the way for the use of modern data architectures and more efficient systems and operations management.

Likewise, since they encapsulate any number of microservices that are called upon only as needed, containers are also appealing because developers can easily swap out individual microservices without rebuilding an app or impacting the infrastructure.

And because containers don’t have dependencies with specific infrastructure or clouds, these architectures offer more operational flexibility. Consequently, containers provide the baseline for IT and development groups to become markedly more agile in their delivery of services, which is the cornerstone of business transformation initiatives.

The market for application containers this year is forecast to reach $1.5 billion this year and is expected to grow to $2.6 billion by 2020, according to 451 Research. While that represents a small percentage of cloud-enabling software, application containers are the fastest growing. Experts have found that especially remarkable, considering that the market first took shape five years ago when Docker open-sourced key components of its container runtime and gathered widespread industry support.

Coalescing Around Kubernetes

Now there’s a common baseline for container management and security with the industry coalescing around Kubernetes, the open-source orchestration system for automating the deployment of containerized software. Kubernetes was developed by Google and contributed to the open source community three years ago. It is now maintained by the Cloud Native Computing Foundation (CNCF), which has joined forces with the Open Container Initiative (OCI), resulting in the rapid broad support by the software industry.

While Google Kubernetes Engine (GKE) has been around for some time, Amazon Web Services’ Elastic Kubernetes Service (EKS) and Microsoft’s Azure Kubernetes Service (AKS) became generally available last month. That widens the playing field now that the two most widely used public clouds offer managed Kubernetes services.

It also enables various hybrid cloud management scenarios such as Red Hat’s OpenShift Container Platform, which is Kubernetes-based, and the Pivotal Kubernetes Service (PKS) that’s built on the open-source Kubo distribution. Other container orchestration platforms such as Mesosphere and Rancher, also support Kubernetes. There are numerous native tools including Dashboard, Kubefed and Minikube.

However, Docker’s own orchestration tool, Swarm, is built with a different architecture and does not lend itself to Kubernetes. By most accounts, Docker, which introduced Swarm several years ago, was blindsided by the rapid and widespread industry support for Kubernetes. The Docker Engine is still a key component of container environments and is included in the latest version of Windows Server, released in 2016. Last year, a Docker update enabled its container engine to run in Windows and Linux clusters. Docker also claims 1 million new developers have started using its Windows and Mac desktop GUI.

Despite the shift to Kubernetes, Swarm still has a place among those using Docker’s tools. “Docker does not position it as an either-or decision that has to be made between Swarm and Kubernetes,” said Gartner analyst Tony Iams. “Swarm is a great way to get started with container orchestration and then you graduate to Kubernetes.”

Although some shops may start off with Docker Swarm, the company has acknowledged that it needed to provide support for Kubernetes-based orchestration and security. The new Docker Enterprise Edition 2.0, previewed last fall and released in April, now supports both Swarm and Kubernetes orchestration.

Security Improvements to Docker EE

Among the security improvements Docker EE 2.0 now offers include GUI-based workflows to enable Role-based Access Control (RBAC), cluster and registry management and secure application zones that physically separate applications within a single cluster.

The new Docker EE also provides a CNCF-compliant Kubernetes stack including support for its native APIs and command line interfaces (CLIs). At last month’s DockerCon conference in San Francisco, the company demonstrated Federated Application Management for Docker EE with added security controls.

Pointing to the managed Kubernetes services from Amazon, Microsoft and Google, Docker officials said that rather than needing to define every security, access control and governance policy for each of the specific cloud providers and software distribution, customers can provision clusters with Docker EE. And with the new federated application management capability announced last month, customers can implement existing policies or those created within those environments.

“In an era where everything is going to have a digital representation, security has to be a basic digital right, it has to be part of the software we build, we have to know everything about the applications that we’re running,” Docker CEO Steve Singh said during his keynote address at DockerCon, where container security was a key focus. “We have to provide tools that govern how data that we create is used, and security is woven in every element of the Docker platform, everything from the engine, all the way through the entire software supply chain. That’s our promise to you and that’s what’s going to guide our innovations.”

Gartner’s Iams said Docker had little choice but to jump on the Kubernetes bandwagon. “Docker needed to show that they can also add value with Kubernetes because the Kubernetes space is getting to be strategically quite significant and you have a number of players,” he said.

Many of these players are startups or relatively new providers such as Aqua Security, Avoreta, JFrog, NeuVector, StackRox and Twistlock, which offer tools focused squarely on container security. Core security providers have also set their sights on securing containers including Cisco, with its new Contiv offering, and Tenable, which last month added container protection capabilities to its Tenable.io security scanning suite. The above-mentioned upstream container management providers also offer various security capabilities as well as cloud operations management tools offerings from AppFormix, Applatix, Apprenda, Cloud 66, DH2i, Kublr and Platform9. among others.

Garter’s Iams said while the cloud platforms address many of these security concerns, many of these tools provide various levels of integration and vulnerability scanning. “With all this new software that’s being installed, whether it’s there in the container runtime or within the orchestration system, all those have to be integrated with existing security such as whatever authentication mechanism you have in place like Active Directory,” he said.

Following the Money

Yet investors are betting big on container security. Among a number of Series B investments, Redpoint Ventures put $25 million into StackRox, Polaris Partners funded Twistlock with $17 million and Lightspeed Venture Partners pumped a $25 million round into Aqua.

Why are so many new providers focusing on container management security, rather than leaving it to the incumbents? The first step toward securing containers begins with the developer, who must build security into the CI/CD process, according to Liz Rice, an evangelist at Aqua, a 3-year-old startup that offers a platform for runtime controls for container-based environments. “That’s a complete mind change from how things are in a traditional deployment,” Rice said.

Also, containers are designed to run in heterogeneous environments and there are more of them – often thousands. Each microservice has its own dependencies, meaning traditional security approaches such as patching and applying vulnerability updates, aren’t practical with these new architectures, Rice explained. “If you have that model in your head when you think about dealing with these thousands of containers, it’s just impossible,” she said.

John Morello, Twistlock CTO, agreed. While a traditional three-tier application running in virtual machines might have a single VM for each tier, the exponentially larger quantity of microservices and containers that are often created and destroyed weekly or even daily, require a different approach, he noted. While this creates a more dynamic environment, that’s the intent with the move to CI/CD.

“These challenges mean that security needs to be more dynamic and automated than traditional models that assumed static, human-generated policies and rules,” Morello said. The upside of containers, he added, is that they are minimal, declarative and more predictable than traditional monolithic approaches.

Consequently, security platforms for these environments observe and model normal behaviors and automatically detect anomalies with minimal human involvement, according to Morello. “When combined with a modern CI/CD software delivery process, they enable organizations to embed security much earlier in the app life cycle, preventing vulnerable apps from being deployed in the first place and fixing problems in development, where they’re much cheaper and safer to resolve,” he said.

Cloud Provider Container Security

Many of the capabilities needed to secure containers are built right into many of the public clouds and offered by managed services providers. A case in point is IBM Cloud, which offers security scanning of container images and configuration scanning to look for poorly configured software as part of its managed Kubernetes service.

“We do enforcement-based policy and we do image signing and enforcement, said Jason McGee, a VP and CTO of IBM Cloud. “That’s all just built into the platform.” But many solutions address applications that may run across multiple clouds or offer specific capabilities such as runtime security or forensics. McGee said IBM has partnered with several of those providers including Aqua, Sysdig, LogDNA, NeuVector and Twistlock.

IBM and NeuVector announced their alliance back in March to offer as an option automated Kubernetes platform security with NeuVector’s multi-vector, container firewall capabilities. “There’s a tremendous ecosystem of solutions from startups and large companies like that to solve different parts of the container operational environment and developer experience,” McGee said. “Those tools work with IBM Cloud and they work with our Kubernetes services on premises.”

NeuVector, which is best known among its customers and partners for its container firewall tool, recently announced extended security capabilities with the 2.0 release of its namesake offering by extending its run-time security automation, container process monitoring and vulnerability scanning with incident response, enterprise access control, role-based management and registry scanning. “Before we were highly focused on the container firewall,” said NeuVector CEO FEI Huang. “With NeuVector 2.0, we are offering much broader coverage with the end-to-end container security.”

Many of these security players have aligned themselves with major cloud providers as well those who offer container management solutions and various CI/CD tools. For example, Cloud 66, which offers a Kubernetes-based container deployment pipeline tool called Skycap, has customers who use container security solutions from Aqua, JFrog and Twistlock. Udi Nachmany, VP of business development at Cloud 66, describes those solutions as complementary.

“If you use our pipeline and go into Kubernetes, you can just plug Aqua’s runtime security tool into your infrastructure,” Nachmany said. The company is also the sponsor of a new open-source project called Habitus, that helps developers address security and performance of Docker container images in the build stage.

For example, it’s common to have secrets embedded into the container image. That image can be sent to an unencrypted registry. “As a DevOps person or manager, you don’t always have control of all those moving parts, so Habitus takes the secret out, and puts it in a sidecar that runs in the build network, and then the secret is injected once the image is finished,” Nachmany said.

Another thing Habitus does is it minimizes the size of the image. “If you’re creating an app and you don’t need all of the build libraries in the runtime image, you can create a runtime image that’s 10 percent of the original one, which obviously means it’s much less vulnerable to attack,” he said.

Bridging the Old and New

Organizations deploying these cloud-native modern container-based environments often overlook APIs and identity, according to Jason Schmitt, CEO of Aporeto, among the newer of the startups. The recent release of Aporeto Enterprise 2 assigns contextual application identity for every component of an application or process. This provides security of microservices and cloud native applications with API access control, runtime threat and vulnerability management and identity management, according to the company. Schmitt says its solution protects both traditional and microservice application architectures.

“The best way to think about us is essentially a workload security platform that spans Linux workloads all the way to cloud native,” Schmitt said. “We’re very centered on container workloads and infrastructure and can work natively in a Kubernetes environment. But we also provide similar sort of uniform policy across a heterogeneous environment so container workloads across multiple cloud and multiple clusters.”

Meanwhile, more established providers of larger IT security portfolios are also adding container scanning to their offerings. For example, an update rolling out to Tenable.io Container Security, which already scanned containers in the build and test process for vulnerabilities, will be able scan those in production. It continues to scan new containers in its registry as they’re put into production. The new release also offers connectors to Microsoft Azure and Google’s GCP.

The Tenable.io Container Security update, announced last month, is set to roll out in stages by August with support for Kubernetes. The company added container security to Tenable.io with its late 2016 acquisition of FlawCheck, which started out with an offering that scanned Docker containers. Tony Bettini, the former CEO Of FlawCheck and now senior director of software engineering at Tenable, said bringing it into Nessus scans containers as part of the SDLC process and validates those containers in production are from the same source as the images.

“This way we can detect containers that have been modified in production because of say a compromised container or some other type of hack or compromise,” Bettini said. “It also allows us to do much faster scanning because we can do the scanning without adversely affecting production environments by doing the scanning on the SDLC side.”

Article Tags

Aqua Security, Container security, docker, JFrog, Kubernetes, microservices, StackRox, Swarm, twistlock

About Jeffrey Schwartz

Jeffrey Schwartz has covered all aspects of IT, from datacenter, networking, storage, cloud and end-user client computing infrastructure, to software development, collaboration and services for nearly three decades. Most recently he was editor-in-chief of Redmond magazine, where he also had roles with sister publications Virtualization Review, Application Development Trends and Visual Studio Magazine, among others. Follow him on Twitter @JeffreySchwartz.

View all posts by Jeffrey Schwartz

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_WTGVKVXEZJ	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_107693958_2	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_heatmaps_g2g_101137905	10 minutes	No description
cf_7167_id	20 years	No description
cf_7167_person_last_update	session	No description
GoogleAdServingTest	session	No description
prism_252377639	1 month	No description
querylyvid	3 months	No description
xtc	1 year 1 month	No description

Containing app vulnerabilities

Article Tags

Subscribe to SDTimes

About Jeffrey Schwartz

Related Articles

Kubernetes 1.30 is now available

Lacework launches new capabilities for securing cloud environments

ITOps Times Open-Source Project of the Week: Kong Gateway Operator

8 reasons why Crossplane is the ideal engine for internal developer platforms