The National Institute of Standards and Technology, or NIST, recently issued the draft special publication, "Application...
Container Security Guide." What can DevOps engineers learn from the guide, and what should they know about mitigating the major risks of application containers?
DevOps engineers can learn about securing application containers using a container lifecycle guide from NIST that focuses on major container risks and countermeasures.
An application container lifecycle consists of three phases: creation and accreditation, core components, and deployment and management.
Registries and the orchestrator are the core components of container technologies. The orchestrator distributes the images from registries to the hosts for deployment. It also directs a host when to run and stop the application containers.
There are some risks to the core components, as well as some countermeasures for these risks. For instance, registries performing over insecure channels can cause service disruptions. One mitigation approach is to encrypt the connections to registries.
All unsafe, vulnerable, stale container images must be removed from the registries. New images must be tested for embedded malware. All images from external sources must be tested to see if they are trustworthy.
Another risk to application containers is that mixing container sensitivity levels can expose sensitive data to the public. For example, an orchestrator may place a container running a public-facing web server on the same host as one processing sensitive financial data. Container deployments should be isolated by sensitivity level.
A container runtime behaving maliciously in network traffic is another threat that may expose other container resources in the environment to further risk. One countermeasure is to root out unexpected traffic flows to dangerous destinations.
Not to be overlooked, the container-specific operating systems are not optimized to support multiple users. A user could log on directly to hosts and manage containers rather than going through an orchestration layer. A tool should be used to identify legitimate users logging on to a host directly, and it should assign proper access rights to these users.
While these are only a few risks and fixes, the NIST guide should help DevOps and security administrators meet the challenges with application container security head on.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how DevOps application lifecycle management protects digital keys
Find out everything you need to know to buy the best application lifecycle management tools
Check out NIST's guidance on lightweight cryptography
Dig Deeper on Virtualization security issues and threats
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.