BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Similar documents
OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

8 Must Have. Features for Risk-Based Vulnerability Management and More

Container Deployment and Security Best Practices

SECURING DOCKER: What You Need to Know

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

Application Security at Scale

align security instill confidence

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Privileged Account Security: A Balanced Approach to Securing Unix Environments

McAfee epolicy Orchestrator

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Securing Digital Transformation

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Tripwire State of Cyber Hygiene Report

RiskSense Attack Surface Validation for IoT Systems

MODERNIZING TRADITIONAL SECURITY:

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Achieving End-to-End Security in the Internet of Things (IoT)

The Hidden Risk of OSS. The Dawn of Software Assembly

AKAMAI CLOUD SECURITY SOLUTIONS

Device Discovery for Vulnerability Assessment: Automating the Handoff

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Five Essential Capabilities for Airtight Cloud Security

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How to Secure Your Cloud with...a Cloud?

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

WHITEPAPER. Embracing Containers & Microservices for future-proof application modernization

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Maximum Security with Minimum Impact : Going Beyond Next Gen

Best Practices in Securing a Multicloud World

Preparing your network for the next wave of innovation

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

Microsoft 365 Security & Compliance For Small- and Mid-Sized Businesses

The McAfee MOVE Platform and Virtual Desktop Infrastructure

SYMANTEC DATA CENTER SECURITY

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

Machine-Based Penetration Testing

Clinical Segmentation done right with Avaya SDN Fx for Healthcare

MARCH Secure Software Development WHAT TO CONSIDER

Deploy Symantec Cloud Workload Protection for Storage

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Automating the Top 20 CIS Critical Security Controls

IT Needs More Control

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

CyberArk Privileged Threat Analytics

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

The SD-WAN security guide

Vulnerability Management

deep (i) the most advanced solution for managed security services

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Symantec Cloud Workload Protection

Unify DevOps and SecOps: Security Without Friction

Build Your Zero Trust Security Strategy With Microsegmentation

Sustainable Security Operations

Machine-Based Penetration Testing

Overcoming the Challenges of Automating Security in a DevOps Environment

Hardening Attack Vectors to cars by Fuzzing

Security and Compliance for Office 365

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

WHITE PAPER. Applying Software-Defined Security to the Branch Office

McAfee Embedded Control

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Red Hat Container Strategy Ahmed El-Rayess

DDoS MITIGATION BEST PRACTICES

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Development. Architecture QA. Operations

Going cloud-native with Kubernetes and Pivotal

CLOUD WORKLOAD SECURITY

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

The ADC Guide to Managing Hybrid (IT and DevOps) Application Delivery

The Four Pillars of Modern Vulnerability Management

Protect Your End-of-Life Windows Server 2003 Operating System

Continuously Discover and Eliminate Security Risk in Production Apps

Accelerate Your Enterprise Private Cloud Initiative

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

The Why, What, and How of Cisco Tetration

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

Defining Security for an AWS EKS deployment

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Office 365 Buyers Guide: Best Practices for Securing Office 365

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

HP Fortify Software Security Center

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

Datacenter Security: Protection Beyond OS LifeCycle

Managed Endpoint Defense

CyBot Suite. Machine-based Penetration Testing

Containers: Security Challenges and How to Address Them. By Tony Bradley

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Enabling Innovation in the Digital Economy

Transcription:

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS With help from the National Institute of Standards and Technology ORGANIZATIONS ARE LEVERAGING CONTAINERS on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery have become a critical topic in DevOps. This puts the spotlight on Operations teams to find security vulnerabilities in production environments without sacrificing the efficiency of containers. MOVING SECURITY INTO PRODUCTION Containers are enjoying widespread adoption, but as with many new technologies, there are concerns around security. According to Forrester Research, Sixty-three percent of enterprises using containers have over 100 deployed, and 82% expect to have more than 100 containers deployed within the next two years. Nonetheless, 44% of those enterprises identify security as their top concern regarding container adoption making it the most common hurdle to containerization. Synopsys has been closely tracking the explosive growth of containers in the last couple years. In 2017 the company launched Black Duck OpsSight its first product focused on giving IT Operations teams visibility into their container images, thus helping prevent applications with open source vulnerabilities from deploying and running in production. While Black Duck Hub scans code for open source vulnerabilities as it moves through the SDLC, OpsSight allows IT Operations teams to gain control of open source security in production at enterprise scale. Black Duck isn t the only organization to identify this trend. The National Institute of Standards and Technology (NIST) published the Application Container Security Guide in September 2017 to address the security risks associated with container adoption. Chances are, hackers are aware of the growing popularity of containers as well, which is why Black Duck compiled eight takeaways from NIST s report on container security to help you be proactive about vulnerabilities in your production environment. This guide is intended for the 80% of container users who believe they could be doing more to address container security. 80 PERCENT OF container users believe they could be doing more to address container security. 1

EIGHT KEY POINTS FROM NIST S REPORT ON CONTAINER SECURITY 1AS THE USE OF CONTAINERS BECOMES BEST PRACTICE IN DEVOPS, EXISTING SOFTWARE DEVELOPMENT AND SECURITY METHODOLOGIES COULD BE DISRUPTED. Organizations are adopting containers to accelerate software delivery, embrace flexibility in the production environment, and move to the cloud. NIST recommends that organizations tailor their operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containerization. 1 As an example, due to the immutable nature of containers, vulnerabilities found within those containers are not simply fixed or patched with the latest software update. Instead, the base images themselves should be updated and redeployed as new containers entirely. This is an important operational difference, which is why processes and tools may need to be adjusted. Unlike traditional operational patterns in which deployed software is updated in the field on the hosts it runs on, with containers these updates must be made upstream in the images themselves, which are then redeployed. 2 2WHILE CONTAINERS HELP SPEED SOFTWARE DELIVERY, THEY POSE NEW RISKS TO APPLICATION SECURITY. Containers package code with their software dependencies, eliminating the need for operations teams to reconfigure the infrastructure every time they deploy an application they are built once and can run anywhere. While NIST acknowledges these benefits of containers, it cautions: when a container is compromised, it can be misused in many ways, such as granting unauthorized access to sensitive information or enabling attacks against other containers or the host OS. 3 Just as traditional applications are vulnerable to hackers, containers can be breached. Container users hoping to protect passwords, customer data, and other sensitive information should understand that the security risks associated with containers can and should be controlled. The most effective and proactive way of doing that is by finding and removing vulnerabilities in base images. Of course, security does not stop at the base image. Container security tools should have visibility into vulnerabilities at all layers of the image, not just the base layer of the image but also application frameworks and custom software the organization is using. 4 2

3DEFINE A CONTAINER SECURITY STRATEGY AND UTILIZE A TOOL THAT CAN HELP YOU ENFORCE IT THROUGHOUT THE DEVOPS LIFECYCLE. Organizations should adopt tools that validate and enforce compliance of container security policies. The most advanced tools enable this enforcement by providing a method to prevent containers with security vulnerabilities from being deployed. Organizations should use tools that include policy-driven enforcement; organizations should be able to create quality gates at each stage of the build and deployment process to ensure that only images that meet the organization s vulnerability and configuration policies are allowed to progress. 5 As an example, container users can set a policy to flag CVE-2017-5638 the Apache Struts vulnerability that caused the Equifax breach and the tool automatically identifies images with that vulnerability and help to prevent them from running in production. 4THE LARGE-SCALE USE OF CONTAINERS IS NEW SO ARE THE TOOLS TO MANAGE THEM. As containers dramatically change application deployment, the associated security processes should also change, according to NIST. Teams cannot rely on traditional security tools that are not designed to manage the security risks associated with hundreds or thousands of containers. NIST reports: traditional tools are often unable to detect vulnerabilities within containers, leading to a false sense of safety. Rather, adopt containerspecific vulnerability management tools and processes for images to prevent compromises. 6 The institute warns, traditional developmental practices, patching techniques, and system upgrade processes might not directly apply to a containerized environment. 7 3

5CONTAINERS SHOULD BE MONITORED CONTINUOUSLY BECAUSE NEW SECURITY VULNERABILITIES ARE BEING DISCOVERED EVERY DAY. With hundreds or thousands of containers running at the same time, finding and remediating every newly discovered vulnerability in each container can be a challenge. an image created with fully up-to-date components may be free of known vulnerabilities for days or weeks after its creation, but at some time vulnerabilities will be discovered in one or more image components, and thus the image will no longer be up-to-date. 8 To ensure containers are secure from newly reported vulnerabilities, NIST suggests organizations utilize a container-native security solution that can monitor the container environment and provide precise detection of anomalous and malicious activity within it. 9 Container orchestrators are a good place to start. Orchestrators have the difficult task of running, stopping, terminating, and moving containers, so tools that are integrated with orchestrators can have access to every container. By integrating the security review process into container orchestration, organizations can ensure that every base image is being scanned and monitored. 6ORGANIZATIONS SHOULD ENSURE THEIR APPROACH TO CONTAINER SECURITY SCALES TO THEIR CONTAINERIZED ENVIRONMENT. Tools scale, people don t. It only takes one vulnerable container out of thousands to cause a breach which is why organizations need visibility into every container image simultaneously. Traditional security solutions may not be able to operate at the scale of containers, manage the rate of change in a container environment, and have visibility into container activity. 10 According to a survey by the Cloud Native Computing Foundation, 25% of companies who use containers in production are running over 1000 containers at a time. Additionally, there has been a 200% increase in deployments of over 250 containers within the last year. The trend is clear: containers are beginning to do the heavy lifting for software deployment. Operations teams need security tools that can scale with their container usage to ensure every container is being scanned and monitored for vulnerabilities. 4.3.1 VULNERABILITIES WITHIN THE RUNTIME SOFTWARE The container runtime must be carefully monitored for vulnerabilities and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Common Vulnerabilities and Exposures (CVEs) vulnerabilities in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes. 4

7GROUP CONTAINERS BASED ON SIMILAR SECURITY RISKS AND SET POLICIES TO PREVENT VULNERABLE CONTAINERS FROM ENTERING PRODUCTION. NIST suggests organizations group containers with the same purpose, sensitivity, and threat posture on a single host OS kernel to allow for additional defense in depth. 11 If containers are grouped together based on their security and purpose, hackers will have a harder time expanding that compromise to other container groups. Smart grouping makes the breach easier to detect and contain this starts with understanding the security risks in each container. Organizations that have this visibility can make informed decisions about how to manage their containers. While visibility is crucial to identifying vulnerable images, organizations can t be certain they catch every vulnerability unless they can set and enforce policies that prevent vulnerable containers from moving into production. NIST explains, Detecting the vulnerable image early in the deployment process and having controls in place to prevent vulnerable images from being deployed would prevent the vulnerability from being introduced into production. 12 8 AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE. While Benjamin Franklin was certainly not referring to open source risk management, his wise words still apply. Be proactive about container security to prevent breaches before they happen. One of the most common threats to a containerized environment is application-level vulnerabilities in the software within containers. 13 Organizations don t have to worry that their move to containers might sacrifice security for efficiency if they have an automated security solution that scales to their containers in production. With a tool that automatically scans containers for vulnerabilities and monitors them for new ones, IT Operations teams won t have to choose speed or security. 5

CHOOSE SPEED AND SECURITY Like containers, organizations leverage open source software to accelerate software delivery. According to Black Duck s 2017 study on open source usage and security, 96% of applications utilized open source components and 67% of those applications had open source security vulnerabilities. After the Equifax breach, IT Operations teams are in the hot seat to prevent these vulnerabilities from being deployed in their production environments. Those who apply NIST s recommendations to open source security in containers will be better suited to reap the benefits of containerization without worrying about open source risk. With Black Duck s OpsSight, IT Operations teams can automatically scan their base images as they are sent into production and then continuously monitor them to flag newly reported open source vulnerabilities as they are discovered allowing organizations security review process to scale with their container usage. This enables IT Operations and DevOps teams to bake security into their production environment. OpsSight currently integrates with Kubernetes and RedHat s OpenShift container orchestrators that automate the complex process of organizing and managing containers. Orchestrators touch every container, so OpsSight s integration will help IT Operations teams rest easy, knowing that every image is being automatically scanned and monitored for open source vulnerabilities. The reasons for adopting containers are clear: accelerated delivery, agility in production, and deployment in the cloud. However, as NIST points out, newfound efficiency shouldn t come at the cost of security; choose both with OpsSight. ABOUT BLACK DUCK Black Duck provides automated solutions for securing and managing open source software. With the rapid, widespread adoption of open source software, Black Duck is a key component of Synopsys Software Integrity Platform, the most comprehensive solution for integrating security into the SDLC and software supply chain. Additional information is available online, at www.blackducksoftware.com. CONTACT To learn more, please contact: sales@blackducksoftware.com or +1 781.891.5100 RESOURCES 1 National Institute of Standards and Technology, Application Container Security Guide, page iv; Executive Summary 2 Ibid., pg 13; 3.1.1 Image Vulnerabilities 3 Ibid., pg 17; 3.4.4 App Vulnerabilities 4 Ibid., pg v; Executive Summary 5 Ibid., pg 24; 4.3.5 Orchestrator node trust 6 Ibid., pg v; Executive Summary 7 Ibid., pg iv; Executive Summary 8 Ibid., pg 13; 3.1.1 Image Vulnerabilities 9 Ibid., pg vi; Executive Summary 10 Ibid., pg vi; Executive Summary 11 Ibid., pg v; Executive Summary 12 Ibid., pg 30; Exploit of a Vulnerability within an Image 13 Ibid., pg vi; Executive Summary 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback