BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Don't Panic, Container Software Can Be Shipped Safely

Following
This article is more than 8 years old.

In the world of software application development, container technology is big news. But what is it, why is it a useful approach and is it safe?

In straightforward terms, a container is a specific place to run an application alongside its own dependencies, configuration files, libraries and the ‘runtime environment’ that defines its engine power.Containerizing your application means that a) it can be moved from one environment (say from ‘test’ to ‘deployment’) to another and that b) it can enjoy the freedom of being abstracted away from it underlying infrastructure.

Google and Twitter make massive use of containers as does Uber, Salesforce, GoldmanSachs and Godaddy to name a few. On the Github repository, the number of Docker container related projects in 2014 was 6,500. In June 2015, it was 40,000, and today it's around 60,000.

Are containers safe?

In terms of usage, containers need not be any more or less insecure than any other software, but the inherent disintegration and separation of technology packages that they drive does throw up questions. The very containerization of the container means that where vulnerable libraries have been included inside an application, the ability to detect, manage and control these vulnerabilities could (arguably) come into question.

This is the suggestion made by Twistlock, a company that has almost painfully labeled itself with an über self-descriptive nametag.

Twistlock makes the following weighty assertion, “Most organizations using containers today include vulnerable libraries and have few tools to help them secure containers in runtime. Without exception, these companies unknowingly use vulnerable packages in their containers that are deployed on AWS, Google cloud and in their own datacenters. This, combined with the rate of containers being adopted, makes it a perfect storm.”

The firm extolls the no doubt manifold virtues of its own-brand Container Security Suite as a development-to-production security product that can go some way to locking down containers. If indeed the operations and security functions inside the IT department fail to have the level of visibility and control that they are accustomed to due to containers, then this could be useful.

But is it just spin and puff or should container security be approached differently compared to ‘traditional’ application security?

Technical validation

The validation comes in the technical details. Twistlock works by pushing vulnerability management analysis down through what we call the ‘full stack’ of the application. This means that it scans containerized applications in both image registries and in runtime to detect vulnerabilities present in the Linux distribution, application frameworks and custom-developed application code.

The software also extends enterprise ‘access control logic and policies’ to the container environment, controlling access to Docker and Kubernetes resources -- and the product also provides user-access analytics. In simpler terms, it provides driving controls (or least a view through the windscreen) at a deeper level down inside the container. It’s a bit like allowing you to look inside the piston heads inside your car engine to see if they operate without any nasty bits of dust or obstruction.

CEO and co-founder of Twistlock Ben Bernstein further details the functionality,  “Twistlock detects misconfigurations, malicious activities and compromises in runtime with activity monitoring and smart profiling. Smart runtime defense can prevent misconfigured containers from being launched, stop policy-violating network activities and kill misbehaving containers dynamically.”

Twistlock says its Container Security Suite is deployed at customer organizations spanning financial services, media, hospitality, consumer technology services and government agencies. We also know that eight of its customers have already deployed Twistlock in mission-critical environments protecting live services and customer data.

Don’t panic!

So are containers inherently insecure? No, they’re not. Could containers ship (pun intended) with some insecure code libraries? Yes, of course they could.

Do other container security solutions exist? Yes, obviously… and Docker’s own version 1.8 summer 2015 release featured extensive security provisions. Not least of these was the use of Notary, a container infrastructure technology that uses The Update Framework (TUF) as a basis for cryptographic keys that look after content signing and verification.

Is Docker alone is already looking at this kind of security layer? Not at all, BlackDuck software has detailed a similar approach to vulnerability analysis… but that’s another story.

Has Twistlock presented a valid argument for the way it can analyze the ‘inner guts’ of what goes on inside containers and the applications that they carry? Yes it has, but this is a broad subject that runs across a big ocean (once again, pun intended).

 

Follow me on Twitter or LinkedIn