.jpg)
Tips for securing container deployments
Friday, September 1, 2017
|
Richard Harris |
Containerized DBaaS security tips for developers looking to make sure their deployments aren't vulnerable to hackers.
Container deployments are still susceptible to the regular threats that other types of deployments are - including DDoS and cross-site scripting attacks. In fact, hackers often take advantage of compromised containers to scan sensitive data, download malware, or privilegeunauthorized access to any of your containers, hosts or data centers.
Fei Huang is the CEO of NeuVector, a company that delivers continuous network security for containers. We sat down to have a chat about containerized security to help developers step up their deployment security.
Huang: From a security perspective, container deployments are vulnerable to the same threats that are present with virtualized or single OS server environments - plus a few others that are unique to containers. These include application-level DDoS and cross-site scripting attacks on public facing containers, attacks taking advantage of compromised containers to download extra malware or scan internal systems for weaknesses and sensitive data, and container breakouts that allow unauthorized access across containers, hosts or data centers. Attackers may also attempt to force a container to use up system resources in order to slow or crash other containers, use unsecure applications to do the same, or live patch applications to introduce malicious processes.
Specific to containers, application exploits such as SQL injection attacks can allow attackers to control and steal data. Vulnerabilities in container base images also present various dangers: the "Bash Bug" (also called ShellShock) can allow hackers to run their own code inside a container. The SSL Heartbleed bug can cause a container memory leak that attackers can analyze. The glibc stack-based buffer overflow or similar methods allow hackers to use man-in-the-middle attacks to gain control. Any unpatched zero-day container attack exploiting new vulnerabilities represents a threat -- these are just some examples of why continuous container security is so critical.
Huang: Applications that are developed over the course of a few months often then run for years, sometimes across millions of instances. Considering this reality, it's clear that run-time security should be a continuous concern for enterprises, from the start of production and for as long as the application is in use.
The biggest challenge today in securing containers is the fact that you can't secure what you can't see. Enterprises need the ability to monitor all container traffic to detect and address suspicious connections, especially within internal east-west traffic between containers (which has now skyrocketed in volume). However, tools that provide this visibility are hard to come by. Most enterprises lack the capabilities to properly monitor the container environment, or to recognize when containers are indeed receiving connections generated by attackers. At the same time, enterprises that cannot monitor container activity in real-time can find themselves helpless to secure the critical vulnerabilities in the open source software solutions their applications depend on.
Huang: Containers are virtualized application services which can be dynamically scaled across hosts and clouds. Securing containers without application intelligence is virtually impossible, and manually monitoring and updating policies as containers scale up and down is error prone. For effective container security, it's necessary to have measures in place that detect application threats, prevent unauthorized connections, and identify any and all run-time containers that have app vulnerabilities. At run-time, deep-packet inspection (DPI) can identify application protocols and payloads to make sure only authorized connections are reaching containers.
Huang: Using code-scanning tools and vulnerability analysis will ensure security issues are not introduced during development. Also, the use of open source software should be carefully analyzed to make sure new vulnerabilities are not added.
Visibility into application behavior over the network is important throughout development, both to debug applications during testing and to recognize issues once in production. Developers should clearly define the expected behavior for applications and properly identify key services, dependencies and resources required. Understanding how attackers will attempt to exploit their code will help developers anticipate potential vulnerabilities and build in precautions. The declarative process for building and deploying containers helps connect developer expectations with security requirements for the DevOps team.
Huang: Prior to production, developers can take steps to prepare more secure container-based applications. Developers should begin by scanning their code with security tools and reducing attack surfaces by removing any modules and files that aren't necessary. Containers should be scanned for vulnerabilities in all registries, and container images should undergo integrity checks and be digitally signed when built.
Appropriate access controls should be established and secrets protected by a secrets management system. The container platform and run-time environment must also be secured - Docker users will find its best practices guide useful. Developers can help security teams by following best practices for DevOps to prepare for deployment.
Huang: Since containers are a newer technology and enterprise security tools for containers are not well-known, enterprises are often tempted to settle for traditional security solutions meant to provide barriers against static threats -- without knowing the risks they are taking. Given the dynamic nature of the container environment, the ability to detect active threats at run-time is essential to effective security.
Traditionally, it hasn't been necessary to monitor and secure lateral (internal) east-west traffic, but, because containers are used in microservices-based architectures, this traffic is vastly increased and requires attention. Attacks will most often include telltale communications - downloading malware, scanning for vulnerabilities, attempting to infect other containers or hosts, etc. - that can give away their existence and signal the danger they pose.
Running containers should also be isolated or segmented into the minimum necessary working zone for the service or application. Beyond this, a thorough understanding of normal application behavior and a security policy designed to support authorized actions makes it possible to curtail abnormal behavior and shut off unauthorized access (when teamed with monitoring that can recognize attacks in real-time).
Huang: NeuVector secures containers in run-time production environments through a novel approach: utilizing behavioral learning to automatically apply security policies with no configuration required. Our solution is itself a container, making it simple to deploy to existing container environments.
NeuVector fully isolates container traffic with application layer segmentation, and will proactively and automatically detect and block abnormal connections before attacks can manifest. In this way, NeuVector views all network traffic and correlates it with appropriate application behavior, blocking only threats and policy violations while ensuring that good traffic is unaffected.
The solution provides runtime vulnerability scanning across all running containers and hosts. Should a vulnerability be exploited in a host or container, suspicious activity such as root escalations and the start of unusual processes will be detected immediately.
NeuVector also help to audit security settings for compliance with internal or industry standard security compliance requirements. The Docker Bench security tests and Kubernetes CIS benchmarks are automatically run on every host to report the results of over 100 security tests.
Huang: Recently, NeuVector broke new ground in the container security field as the first provider to implement distributed security auditing for Kubernetes 1.6 deployments. This followed the release of the Center for Internet Security's Kubernetes CIS Benchmark for Kubernetes 1.6 security auditing. This benchmark includes over 100 recommendations, and NeuVector now provides simple open source tools enterprises can use to check if their deployments are in compliance. At the same time, developers using NeuVector now have both Docker and Kubernetes CIS Benchmark auditing and compliance testing to evaluate the security of images, host systems, and orchestration services used. Looking forward, we plan to continue making it as easy as possible for developers to follow best practices for container security and meet stringent compliance standards.
Huang: The advantages of bringing containers into the application development and deployment process will only increase as the field matures - and the resulting need for effective container security will only become more pronounced. Given the nature of containers, security must become a key consideration from the very beginning of the development process, from infrastructure planning and all the way through to the run-time environment. Developers will play an increasingly important role in defining the expected behavior and characteristics of applications so they can be better secured. But attackers will continue to evolve their methods as well, making continuous container security of this nature a necessity as the usage of containers evolves.
Fei Huang is the CEO of NeuVector, a company that delivers continuous network security for containers. We sat down to have a chat about containerized security to help developers step up their deployment security.
ADM: For applications that utilize containers, what are some of the biggest security threats?
Huang: From a security perspective, container deployments are vulnerable to the same threats that are present with virtualized or single OS server environments - plus a few others that are unique to containers. These include application-level DDoS and cross-site scripting attacks on public facing containers, attacks taking advantage of compromised containers to download extra malware or scan internal systems for weaknesses and sensitive data, and container breakouts that allow unauthorized access across containers, hosts or data centers. Attackers may also attempt to force a container to use up system resources in order to slow or crash other containers, use unsecure applications to do the same, or live patch applications to introduce malicious processes.
Specific to containers, application exploits such as SQL injection attacks can allow attackers to control and steal data. Vulnerabilities in container base images also present various dangers: the "Bash Bug" (also called ShellShock) can allow hackers to run their own code inside a container. The SSL Heartbleed bug can cause a container memory leak that attackers can analyze. The glibc stack-based buffer overflow or similar methods allow hackers to use man-in-the-middle attacks to gain control. Any unpatched zero-day container attack exploiting new vulnerabilities represents a threat -- these are just some examples of why continuous container security is so critical.
ADM: What are the biggest challenges to securing containers?
Huang: Applications that are developed over the course of a few months often then run for years, sometimes across millions of instances. Considering this reality, it's clear that run-time security should be a continuous concern for enterprises, from the start of production and for as long as the application is in use.
The biggest challenge today in securing containers is the fact that you can't secure what you can't see. Enterprises need the ability to monitor all container traffic to detect and address suspicious connections, especially within internal east-west traffic between containers (which has now skyrocketed in volume). However, tools that provide this visibility are hard to come by. Most enterprises lack the capabilities to properly monitor the container environment, or to recognize when containers are indeed receiving connections generated by attackers. At the same time, enterprises that cannot monitor container activity in real-time can find themselves helpless to secure the critical vulnerabilities in the open source software solutions their applications depend on.
ADM: Why is it important to have container security in place at the application layer?
Huang: Containers are virtualized application services which can be dynamically scaled across hosts and clouds. Securing containers without application intelligence is virtually impossible, and manually monitoring and updating policies as containers scale up and down is error prone. For effective container security, it's necessary to have measures in place that detect application threats, prevent unauthorized connections, and identify any and all run-time containers that have app vulnerabilities. At run-time, deep-packet inspection (DPI) can identify application protocols and payloads to make sure only authorized connections are reaching containers.
ADM: What security concerns should developers be aware of when beginning projects that leverage the advantages of containers?
Huang: Using code-scanning tools and vulnerability analysis will ensure security issues are not introduced during development. Also, the use of open source software should be carefully analyzed to make sure new vulnerabilities are not added.
Visibility into application behavior over the network is important throughout development, both to debug applications during testing and to recognize issues once in production. Developers should clearly define the expected behavior for applications and properly identify key services, dependencies and resources required. Understanding how attackers will attempt to exploit their code will help developers anticipate potential vulnerabilities and build in precautions. The declarative process for building and deploying containers helps connect developer expectations with security requirements for the DevOps team.
ADM: What are some container security best practices that developers ought to know and follow?
Huang: Prior to production, developers can take steps to prepare more secure container-based applications. Developers should begin by scanning their code with security tools and reducing attack surfaces by removing any modules and files that aren't necessary. Containers should be scanned for vulnerabilities in all registries, and container images should undergo integrity checks and be digitally signed when built.
Appropriate access controls should be established and secrets protected by a secrets management system. The container platform and run-time environment must also be secured - Docker users will find its best practices guide useful. Developers can help security teams by following best practices for DevOps to prepare for deployment.
ADM: How do run-time threat detection and real-time monitoring serve to protect containers from threats?
Huang: Since containers are a newer technology and enterprise security tools for containers are not well-known, enterprises are often tempted to settle for traditional security solutions meant to provide barriers against static threats -- without knowing the risks they are taking. Given the dynamic nature of the container environment, the ability to detect active threats at run-time is essential to effective security.
Traditionally, it hasn't been necessary to monitor and secure lateral (internal) east-west traffic, but, because containers are used in microservices-based architectures, this traffic is vastly increased and requires attention. Attacks will most often include telltale communications - downloading malware, scanning for vulnerabilities, attempting to infect other containers or hosts, etc. - that can give away their existence and signal the danger they pose.
Running containers should also be isolated or segmented into the minimum necessary working zone for the service or application. Beyond this, a thorough understanding of normal application behavior and a security policy designed to support authorized actions makes it possible to curtail abnormal behavior and shut off unauthorized access (when teamed with monitoring that can recognize attacks in real-time).
Fei Huang, CEO of NeuVector
ADM: How does NeuVector's container security solution protect applications, and how is it different from other approaches to container security?
Huang: NeuVector secures containers in run-time production environments through a novel approach: utilizing behavioral learning to automatically apply security policies with no configuration required. Our solution is itself a container, making it simple to deploy to existing container environments.
NeuVector fully isolates container traffic with application layer segmentation, and will proactively and automatically detect and block abnormal connections before attacks can manifest. In this way, NeuVector views all network traffic and correlates it with appropriate application behavior, blocking only threats and policy violations while ensuring that good traffic is unaffected.
The solution provides runtime vulnerability scanning across all running containers and hosts. Should a vulnerability be exploited in a host or container, suspicious activity such as root escalations and the start of unusual processes will be detected immediately.
NeuVector also help to audit security settings for compliance with internal or industry standard security compliance requirements. The Docker Bench security tests and Kubernetes CIS benchmarks are automatically run on every host to report the results of over 100 security tests.
ADM: What's NeuVector working on that we'll see in the near future?
Huang: Recently, NeuVector broke new ground in the container security field as the first provider to implement distributed security auditing for Kubernetes 1.6 deployments. This followed the release of the Center for Internet Security's Kubernetes CIS Benchmark for Kubernetes 1.6 security auditing. This benchmark includes over 100 recommendations, and NeuVector now provides simple open source tools enterprises can use to check if their deployments are in compliance. At the same time, developers using NeuVector now have both Docker and Kubernetes CIS Benchmark auditing and compliance testing to evaluate the security of images, host systems, and orchestration services used. Looking forward, we plan to continue making it as easy as possible for developers to follow best practices for container security and meet stringent compliance standards.
ADM: What trends do you see shaping development, the use of containers, and container security going forward?
Huang: The advantages of bringing containers into the application development and deployment process will only increase as the field matures - and the resulting need for effective container security will only become more pronounced. Given the nature of containers, security must become a key consideration from the very beginning of the development process, from infrastructure planning and all the way through to the run-time environment. Developers will play an increasingly important role in defining the expected behavior and characteristics of applications so they can be better secured. But attackers will continue to evolve their methods as well, making continuous container security of this nature a necessity as the usage of containers evolves.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
