Container Security: Vulnerabilities and Countermeasures

October 30, 2017

Containers offer many advantages for management, deployment, and efficient development of applications.  Like any technology, however, they are subject to attack from malicious actors, and require diligent security.  Vulnerabilities can appear in the container images themselves, in the registry where they are stored, or in the orchestration and deployment of the images.  Let’s take a look.

Image Vulnerabilities & Countermeasures

Given the immutable nature of containers, updates and patches must be done to the container image prior to deployment.  Patching “on the fly” is not an option. In addition, an image could contain malicious files capable of installing, executing, and distributing malware, particularly if the image comes from an untrusted sources.   Incorrect configurations, such as running with excessive privileges or inclusion of unnecessary daemons, can put also containers at risk.  Finally, an image might contain clear-text passwords, private keys, connection strings, username/password combinations, or other sensitive information.

A key countermeasure is a disciplined lifecycle management for containers.  This requires visibility into vulnerabilities at all layers of the container, such as application frameworks and the software under development.  As a container goes through the lifecycle, it should have to pass inspection at multiple “gates”, so that vulnerabilities are identified and eliminated early in the process.  Configurations should undergo review, and an image’s provenance should never be taken for granted.  Scan for malware, and implement a formal process to identify and remove sensitive data that does not belong on a container image.

Registry Vulnerabilities & Countermeasures

Application images are typically stored in registries for easy retrieval, organization, and storage.  If the registry itself is not properly secured, however, bad images (like those just described) can find their way into the registry.  A bad image is a bad image, whether uploaded by accident by a negligent user, or on purpose by a bad actor.

To mitigate these vulnerabilities, encrypt communication to and from registries.  More importantly, actively prune the registry to eliminate stale or infected images.  Be sure that naming schemes identify version levels, and make sure you can identify the most current image, and that it is not confused with older “latest” images.

Orchestrator Vulnerabilities & Countermeasures

As with any system, adhere to the basic principles of least privilege and separation of duties.  Identify team roles and functions, and assign privileges accordingly.  You may be running applications with multiple sensitivity levels, so be sure to take sensitivity levels into account when assigning privileges.

To mitigate these weaknesses, use multi-factor authentication, and consider single sign-on to make MFA easier to use.  If data is encrypted on the host, be sure that containers have adequate credentials for access, but do not avoid the issue by decrypting data permanently.  Consider encrypting inter-container network traffic, and organize containers to avoid mistakes in rights assignment and deployment.