Over the last couple of years, the rise in software supply chain attacks has increased container security risks - and heightened the need for organizations to deploy controls for managing and mitigating those risks.
As containers have become fundamental to modern software development and deployment, it is vital to secure them, said Patrick Tiquet, vice president for security and architecture at Keeper Security.
Here are five essential best practices - and recommendations for modern application security tooling - to lock down your organization's containers and ensure secure software releases.
Kong Yew Chan, director of product management, container security at Qualys, said key encryption should be secured with external key management, so that only authorized individuals can retrieve the encryption key to encrypt or decrypt the sensitive data.
KC Berg, chief architect at the API security testing firm StackHawk, said administrators should treat all containers as if they contain personally identifiable information.
StackHawk's Berg said other measures organizations can take to maintain visibility into dependencies in container environments include enabling container scanning in the Docker registry, running a container registry as a cache and then scanning third-party containers, scanning containers for vulnerable packages on every pull request, and using vulnerability-testing tools.
Control supply chain risks in container ecosystems Vulnerabilities in the software supply chain pose a major security risk in container environments.
It's also a good idea to deploy container runtime security tools such as binary analysis to detect configuration drifts and malicious threats in the runtime environments, Chan said.
Tam pointed to a recent survey that Tigera conducted of more than 1,200 users who are actively using Calico open-source networking and security tools in their container and Kubernetes environments.
Rethinking container security requires the right tools Build pipeline attacks are on the rise, and software supply chain security is front and center.
To ensure container security, you need to know if someone has changed or introduced malware in your container images - just like your code.
Choosing the right tool to run within the container to monitor for compromise and evaluate the current security posture is critical.
Lisa Azevedo, CEO of container security firm Containn, said one big limitation with many current container security products and services is that they are reactive, designed to detect after-the-fact security vulnerabilities.
Many container security products allow organizations to scan for and detect known security issues but do little to prevent them from happening in the first place.
Most tools, at best, allow organizations to get a point-in-time assessment of security vulnerabilities in the container environment, she said.
Currently available container security tools generally are good at detecting existing vulnerabilities, providing a remediation report, and pushing the work of fixing the issues back to the development team.
The key is to ensure container security by pushing it further left during the build process, Azevedo said.
Organizations should be thinking about how to implement container security at scale from the beginning and finding ways to maintain control of container deployments and state.
The focus should be on shrinking the attack surface while maintaining control of deployments and container state.
The goal is to be able to spin up containers that are standardized for specific environments and integrate security and compliance features such as those required under various industry regulations and national data security and privacy mandates.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 04 Jan 2024 02:43:04 +0000