Container vulnerabilities and security best practices
Containers have been pretty much a part of the software world since the late 70s when during the development of Unix V7, the chroot system call was introduced. But we had to wait until 2006 to see containers become mainstream when Google developed process containers. Now, according to a survey conducted by Diamanti in 2018, two-thirds of the IT leaders surveyed say they either plan or are considering moving workloads from virtual machines to containers and two-fifths say they plan to replace virtual machines with containers.
System virtualization involves running multiple instances of operating systems required by a particular application on a single system. On the other hand in containerization, applications are encapsulated in a manner that will make them deployable in several environments. Containerization comes with a plethora of advantages for DevOps, including improved performance and reduced costs; however, the availability of applications to a broad spectrum of environments exposes them to vulnerabilities.
While most IT professionals believe that containers are immune to threats, the bitter truth is that they are not. Although Docker and Kubernetes systems, which are literally the names that come to everyone’s mind when we say containers, have high standards of security, containers often fall prey to attacks and security risks. So, it is essential to know the vulnerabilities present in the container ecosystem and how you can address them. Let us explore some of the major ones that can affect the performance of your containers and how you can take precautionary measures to avoid what may soon become a catastrophe for your business.
Shared Web Host Attacks
Shared web host attacks refer to containers on shared web hosts being attacked by unauthorized or contaminated containers. Here, the container may come in contact with a contaminated source accidentally or fall prey to a trap that was set up by an attacker.
Access Control Attacks
Access control is a crucial part of container security, be it data centers or cloud-based networks. Most suppliers provide access control options through an encryption key placed in the container registry. Using this key, a super-user can grant or revoke access to containers and give permissions to different users. A user or storage object viewer has the read-only permission whereas an admin has permissions to read & write or read & publish.
Access control attacks are simply those which can be directed by users having permissions that they are not supposed to have or attacks executed through spoofed credentials. Thus, it becomes critical in access management to revoke permissions of such users.
Container Image Attacks
Container images are building blocks of containers that consist of executable software packages. Most developers pull images from a repository and execute them without investigating whether they contain any threats. These images may be corrupted by an attacker and can contaminate other containers. Furthermore, attackers may gain system-level access and exploit other users by running malicious containers on their systems. If not detected ahead of time, such images may cause system or even infrastructure-level damages. Images that are not properly configured and outdated images in repositories also pose threats to containers.
Root Kernel Attacks
RunC is an open-source command language interpreter used for running containers. Root attacks are executed when an infected container overwrites binary of the host RunC and gains access to the root. This makes attackers capable of running any command just like the root. The worst part is, root access enables attackers to gain access to a part of the Kernel, exposing hundreds of containers to the possibility of being attacked. It enables an attacker to increase the intensity of the assault by inserting more infected containers and/or by adding commands to existing containers.
So, these are some of the major areas in your container ecosystem that are prone to attacks. Now, let us have a look at some of the best practices that you can follow in order to prevent your container ecosystem against any such attacks because “prevention is better than cure”.
Best practices for container security:
- It is extremely crucial to monitor what all a container can access, system resources that it consumes and the Kernel requirements of containers. Such activities are supervised primarily by control groups and namespaces that are fundamental components of container security and need to be configured in a timely manner.
- It is important to monitor who has access to what in order to prevent access control attacks. Modifications in container settings, configurations, and behavior also need to be monitored on a regular basis.
- The most basic precaution that you can take to avoid image-based attacks on your containers is to always check for signatures on any image that you download and make sure that they are from trusted sources. Besides, you may also use trustworthy image scanning tools like Docker, Clair, Anchore, etc.
- The automation of processes like auditing, behavior profiling, and authorization, among others can prove beneficial for the early detection of root kernel attacks. Moreover, the hardening of kernels is a useful practice to avoid such attacks.
- The use of container-specific OS, proper hosting of containers on a host OS kernel, network traffic separation and using third-party applications for container security are some more measures that fortify the security of containers.
DevOps practices have revolutionized the way we develop applications and have multiplied the speed of delivery. In order to match this increased speed of delivery and its quality, we will have to bolster our security practices. Containers play a major role in the DevOps revolution. So, it is important to address major container vulnerabilities. But in order to address any security concerns in the long-term your SecOps and TestOps teams need to follow continuous and agile testing methodologies. Test automation and tools are always there to augment security and testing practices. To know how you can incorporate SecOps as a part of your DevOps culture here is an interesting whitepaper from our vault. Opcito has helped startups as well as enterprises in securing the IT infrastructure. Get in touch with us to see how you can make your Dev, Sec, and Ops team work together more efficiently.