With the increase in popularity of agile development and DevOps methodologies, containers have taken off as a way to create easily managed and reproducible software components.
Attackers have taken notice, however, and attempts to compromise containers are on the rise. When container management firm Sysdig put a cluster of containers online and exposed the application programming interface (API), for example, attackers found and exploited the open port in four days, installing Bitcoin mining software in a new container instance.
“It’s not surprising that Bitcoin mining is the thing the attacker tried to run,” Mark Stemm, a software engineer at Sysdig, wrote in an analysis. “[T]he dominant cost in mining bitcoins is CPU processing power. It helps your bottom line if the CPU costs are stolen and therefore zero!”
Containers have quickly become popular at companies, with a quarter of all firms using Docker containers, according to application-monitoring firm Datadog. The fast adoption of the software, however, has resulted in many misconfigured containers that are publicly accessible and insecure.
Research by container-software company Docker and cloud-security firm Twistlock that scanned a limited subset of the Internet, for example, found 1,000 exposed registries, of which only 10 percent were configured correctly while 60 percent were completely open to attack.
“There was a large number of even corporate IP spaces, that were publicly exposed [and] allowed write access,” John Morello, CTO of Twistlock, told eWEEK. “The attack was not an implant that tried to gain a foothold in the company’s network, but simply a way to monetize the compromise by forcing the victim to unknowingly run a coin miner on the attacker’s behalf.”
With attackers increasingly hunting for insecure containers in corporate cloud deployments, businesses need to take steps to make their infrastructure more secure. Here are five ways that businesses can better secure their containers and microservices.
1. Educate developers about security
Containers represent many of the ideals of the DevOps mentality. Developers not only write the code for applications, but also set the configurations that are used with software when deployed into production.
For that reason, developers need to understand a great deal more about security, orchestration and managing deployed software, according to Amir Jerbi, chief technology officer and co-founder of Aqua Security, a container security firm.
“Because developers are shifting left and having more responsibilities from the security perspective, sometimes the developers are not aware of bad security configurations—so they could package a Web server without SSL or ship a container with hardcoded passwords,” he said. “When you combine developers’ relative lack of experience with security, you create opportunity for the attackers.”
2. Use certified container images
Earlier this year, several security firms—including Fortinet, Kromtech, and Twistlock—detailed the discovery of a set of nearly a score of Docker images that would download and run mining software. Applications distributed in containers through centralized hubs could be a vector for malicious code or backdoor vulnerabilities, much like malicious applications downloaded from public app stores.
Developers that use well-maintained and certified container images should be safe from such attacks, however.
Moreover, Docker argued that the mining fears have to be put into context. While the images found by the security firms were downloaded more than 100,000 times and resulted in profits of more than $172,000 for the operators, it is unlikely that the attacker had fooled unwitting developers into downloading the containerized applications, said Banjot Chanana, vice president of product at Docker.
“The folks that are putting those container images out there in the public are not typically trying to trick people into downloading those images,” he said. “They are using the Docker hub as a way to distribute their own images, much in the same way as someone who puts code up in an S3 bucket.”
3. Check containers and software for vulnerabilities
A large security advantage of containers is that they allow you to package an environment and turn it into an immutable image. Any change results in a new image, which allows companies to know the state of their containers.
Combined with static analysis and software component management, this capability allows companies to know whether there are vulnerabilities in their containers. Rather than rechecking each software component, a container’s list of components can be used to check the collection of software for known vulnerabilities.
“Historically, the configuration of the environment was an artifact that was a point in time—you knew the state of the application at the time you scanned it, but you didn’t know enough to use it later on,” said Twistlock’s Morello. “With containers, you really don’t have to rescan packages once you have done it, giving you a much more proactive approach to vulnerability scanning.”
4. Automate compliance checks
To create a security-focused DevOps pipeline, companies need to create automated checks that not only scan code, but also check for correct configurations. Deployment issues, such as those found by Docker and Twistlock, can leave containerized applications open to exploitation.
No wonder, then, that adding automated compliance checks is one of the best practices recommended by security firms. Creating a series of automated “security gates” where code and containers are checked for security and reliability issues can ensure that vulnerable applications are not deployed to production.
“Companies are now shifting to adding more security controls into the development and deployment pipeline,” said Aqua Security’s Jerbi. “As you’re shipping the container into production, there should be automatic checks around the security gate that will evaluate that all the components are fine, and no one has modified anything.”
5. Check runtime behavior
Finally, containerized applications are easily monitored for anomalous behavior. Because containers declare what software should be running and limit running processes to least privilege, the environment is limited enough to make detecting anomalies much easier.
Add newer techniques such as data analysis and machine learning to the process, detecting runtime anomalies can help further secure containerized applications, said Twistlock’s Morello.
“We can apply a lot more automation and machine learning to create a reference model for what is normal inside an application and be able to detect anomalies compared to that reference model, without having a human being create rules for the anomaly,” he said.
Overall, if done properly, containers can be a significant security benefit for deploying applications. The steps are not complex: Check for vulnerabilities, automate security, and use verified software components for development.
In addition, just porting existing applications into containers will give many of the security benefits, said Docker’s Chanana.
“Continuous security is really the same kind of fundamental best practices that you have been using for decades,” he said. “None of that really changes with containers. It’s much less likely that someone will compromise your application with a zero-day and more likely that you are running an old version of Python with a two-year-old vulnerability in it.”