BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology
ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS With help from the National Institute of Standards and Technology ORGANIZATIONS ARE LEVERAGING CONTAINERS on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery have become a critical topic in DevOps. This puts the spotlight on Operations teams to find security vulnerabilities in production environments without sacrificing the efficiency of containers. MOVING SECURITY INTO PRODUCTION Containers are enjoying widespread adoption, but as with many new technologies, there are concerns around security. According to Forrester Research, Sixty-three percent of enterprises using containers have over 100 deployed, and 82% expect to have more than 100 containers deployed within the next two years. Nonetheless, 44% of those enterprises identify security as their top concern regarding container adoption making it the most common hurdle to containerization. Synopsys has been closely tracking the explosive growth of containers in the last couple years. In 2017 the company launched Black Duck OpsSight its first product focused on giving IT Operations teams visibility into their container images, thus helping prevent applications with open source vulnerabilities from deploying and running in production. While Black Duck Hub scans code for open source vulnerabilities as it moves through the SDLC, OpsSight allows IT Operations teams to gain control of open source security in production at enterprise scale. Black Duck isn t the only organization to identify this trend. The National Institute of Standards and Technology (NIST) published the Application Container Security Guide in September 2017 to address the security risks associated with container adoption. Chances are, hackers are aware of the growing popularity of containers as well, which is why Black Duck compiled eight takeaways from NIST s report on container security to help you be proactive about vulnerabilities in your production environment. This guide is intended for the 80% of container users who believe they could be doing more to address container security. 80 PERCENT OF container users believe they could be doing more to address container security. 1
EIGHT KEY POINTS FROM NIST S REPORT ON CONTAINER SECURITY 1AS THE USE OF CONTAINERS BECOMES BEST PRACTICE IN DEVOPS, EXISTING SOFTWARE DEVELOPMENT AND SECURITY METHODOLOGIES COULD BE DISRUPTED. Organizations are adopting containers to accelerate software delivery, embrace flexibility in the production environment, and move to the cloud. NIST recommends that organizations tailor their operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containerization. 1 As an example, due to the immutable nature of containers, vulnerabilities found within those containers are not simply fixed or patched with the latest software update. Instead, the base images themselves should be updated and redeployed as new containers entirely. This is an important operational difference, which is why processes and tools may need to be adjusted. Unlike traditional operational patterns in which deployed software is updated in the field on the hosts it runs on, with containers these updates must be made upstream in the images themselves, which are then redeployed. 2 2WHILE CONTAINERS HELP SPEED SOFTWARE DELIVERY, THEY POSE NEW RISKS TO APPLICATION SECURITY. Containers package code with their software dependencies, eliminating the need for operations teams to reconfigure the infrastructure every time they deploy an application they are built once and can run anywhere. While NIST acknowledges these benefits of containers, it cautions: when a container is compromised, it can be misused in many ways, such as granting unauthorized access to sensitive information or enabling attacks against other containers or the host OS. 3 Just as traditional applications are vulnerable to hackers, containers can be breached. Container users hoping to protect passwords, customer data, and other sensitive information should understand that the security risks associated with containers can and should be controlled. The most effective and proactive way of doing that is by finding and removing vulnerabilities in base images. Of course, security does not stop at the base image. Container security tools should have visibility into vulnerabilities at all layers of the image, not just the base layer of the image but also application frameworks and custom software the organization is using. 4 2
3DEFINE A CONTAINER SECURITY STRATEGY AND UTILIZE A TOOL THAT CAN HELP YOU ENFORCE IT THROUGHOUT THE DEVOPS LIFECYCLE. Organizations should adopt tools that validate and enforce compliance of container security policies. The most advanced tools enable this enforcement by providing a method to prevent containers with security vulnerabilities from being deployed. Organizations should use tools that include policy-driven enforcement; organizations should be able to create quality gates at each stage of the build and deployment process to ensure that only images that meet the organization s vulnerability and configuration policies are allowed to progress. 5 As an example, container users can set a policy to flag CVE-2017-5638 the Apache Struts vulnerability that caused the Equifax breach and the tool automatically identifies images with that vulnerability and help to prevent them from running in production. 4THE LARGE-SCALE USE OF CONTAINERS IS NEW SO ARE THE TOOLS TO MANAGE THEM. As containers dramatically change application deployment, the associated security processes should also change, according to NIST. Teams cannot rely on traditional security tools that are not designed to manage the security risks associated with hundreds or thousands of containers. NIST reports: traditional tools are often unable to detect vulnerabilities within containers, leading to a false sense of safety. Rather, adopt containerspecific vulnerability management tools and processes for images to prevent compromises. 6 The institute warns, traditional developmental practices, patching techniques, and system upgrade processes might not directly apply to a containerized environment. 7 3
5CONTAINERS SHOULD BE MONITORED CONTINUOUSLY BECAUSE NEW SECURITY VULNERABILITIES ARE BEING DISCOVERED EVERY DAY. With hundreds or thousands of containers running at the same time, finding and remediating every newly discovered vulnerability in each container can be a challenge. an image created with fully up-to-date components may be free of known vulnerabilities for days or weeks after its creation, but at some time vulnerabilities will be discovered in one or more image components, and thus the image will no longer be up-to-date. 8 To ensure containers are secure from newly reported vulnerabilities, NIST suggests organizations utilize a container-native security solution that can monitor the container environment and provide precise detection of anomalous and malicious activity within it. 9 Container orchestrators are a good place to start. Orchestrators have the difficult task of running, stopping, terminating, and moving containers, so tools that are integrated with orchestrators can have access to every container. By integrating the security review process into container orchestration, organizations can ensure that every base image is being scanned and monitored. 6ORGANIZATIONS SHOULD ENSURE THEIR APPROACH TO CONTAINER SECURITY SCALES TO THEIR CONTAINERIZED ENVIRONMENT. Tools scale, people don t. It only takes one vulnerable container out of thousands to cause a breach which is why organizations need visibility into every container image simultaneously. Traditional security solutions may not be able to operate at the scale of containers, manage the rate of change in a container environment, and have visibility into container activity. 10 According to a survey by the Cloud Native Computing Foundation, 25% of companies who use containers in production are running over 1000 containers at a time. Additionally, there has been a 200% increase in deployments of over 250 containers within the last year. The trend is clear: containers are beginning to do the heavy lifting for software deployment. Operations teams need security tools that can scale with their container usage to ensure every container is being scanned and monitored for vulnerabilities. 4.3.1 VULNERABILITIES WITHIN THE RUNTIME SOFTWARE The container runtime must be carefully monitored for vulnerabilities and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Common Vulnerabilities and Exposures (CVEs) vulnerabilities in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes. 4
7GROUP CONTAINERS BASED ON SIMILAR SECURITY RISKS AND SET POLICIES TO PREVENT VULNERABLE CONTAINERS FROM ENTERING PRODUCTION. NIST suggests organizations group containers with the same purpose, sensitivity, and threat posture on a single host OS kernel to allow for additional defense in depth. 11 If containers are grouped together based on their security and purpose, hackers will have a harder time expanding that compromise to other container groups. Smart grouping makes the breach easier to detect and contain this starts with understanding the security risks in each container. Organizations that have this visibility can make informed decisions about how to manage their containers. While visibility is crucial to identifying vulnerable images, organizations can t be certain they catch every vulnerability unless they can set and enforce policies that prevent vulnerable containers from moving into production. NIST explains, Detecting the vulnerable image early in the deployment process and having controls in place to prevent vulnerable images from being deployed would prevent the vulnerability from being introduced into production. 12 8 AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE. While Benjamin Franklin was certainly not referring to open source risk management, his wise words still apply. Be proactive about container security to prevent breaches before they happen. One of the most common threats to a containerized environment is application-level vulnerabilities in the software within containers. 13 Organizations don t have to worry that their move to containers might sacrifice security for efficiency if they have an automated security solution that scales to their containers in production. With a tool that automatically scans containers for vulnerabilities and monitors them for new ones, IT Operations teams won t have to choose speed or security. 5
CHOOSE SPEED AND SECURITY Like containers, organizations leverage open source software to accelerate software delivery. According to Black Duck s 2017 study on open source usage and security, 96% of applications utilized open source components and 67% of those applications had open source security vulnerabilities. After the Equifax breach, IT Operations teams are in the hot seat to prevent these vulnerabilities from being deployed in their production environments. Those who apply NIST s recommendations to open source security in containers will be better suited to reap the benefits of containerization without worrying about open source risk. With Black Duck s OpsSight, IT Operations teams can automatically scan their base images as they are sent into production and then continuously monitor them to flag newly reported open source vulnerabilities as they are discovered allowing organizations security review process to scale with their container usage. This enables IT Operations and DevOps teams to bake security into their production environment. OpsSight currently integrates with Kubernetes and RedHat s OpenShift container orchestrators that automate the complex process of organizing and managing containers. Orchestrators touch every container, so OpsSight s integration will help IT Operations teams rest easy, knowing that every image is being automatically scanned and monitored for open source vulnerabilities. The reasons for adopting containers are clear: accelerated delivery, agility in production, and deployment in the cloud. However, as NIST points out, newfound efficiency shouldn t come at the cost of security; choose both with OpsSight. ABOUT BLACK DUCK Black Duck provides automated solutions for securing and managing open source software. With the rapid, widespread adoption of open source software, Black Duck is a key component of Synopsys Software Integrity Platform, the most comprehensive solution for integrating security into the SDLC and software supply chain. Additional information is available online, at www.blackducksoftware.com. CONTACT To learn more, please contact: sales@blackducksoftware.com or +1 781.891.5100 RESOURCES 1 National Institute of Standards and Technology, Application Container Security Guide, page iv; Executive Summary 2 Ibid., pg 13; 3.1.1 Image Vulnerabilities 3 Ibid., pg 17; 3.4.4 App Vulnerabilities 4 Ibid., pg v; Executive Summary 5 Ibid., pg 24; 4.3.5 Orchestrator node trust 6 Ibid., pg v; Executive Summary 7 Ibid., pg iv; Executive Summary 8 Ibid., pg 13; 3.1.1 Image Vulnerabilities 9 Ibid., pg vi; Executive Summary 10 Ibid., pg vi; Executive Summary 11 Ibid., pg v; Executive Summary 12 Ibid., pg 30; Exploit of a Vulnerability within an Image 13 Ibid., pg vi; Executive Summary 6