Federal agencies are constantly looking for cutting-edge technology to better serve their mission and the public. In recent years, government agencies like the Defense Department and the National Institutes of Health that make and manage web applications have relied on containers to deliver increased interoperability and ease of use.
As developers embrace cloud-native computing practices, containers have also become increasingly important for the business efficiency of major corporations. Many Fortune 500 companies, from technology to financial institutions, have embraced containers to improve the efficiency of deploying, scaling, and managing applications.
Containers comprise small, fast, portable units of software in which code gets packaged so that an application runs quickly and reliably in different computing environments—from the desktop to the cloud, across multiple clouds, as well as on-premises data centers.
Containers offer organizations and businesses a unique opportunity to modernize their legacy applications and develop new applications to take advantage of cloud services, according to a General Services Administration (GSA) blog post. In May 2021, GSA’s Data Center and Cloud Optimization Initiative Program Management Office released a Containerization Readiness Guide to help agencies through container adoption.
As organizations adopt containers, it’s essential to have the appropriate security checks in place, primarily because attacks on the software supply chain continue to grow.
Security risks
While pointing out the benefits of containers, the GSA Guide also describes the inherent security risks agency leaders should consider, such as vulnerabilities introduced through additional software, poorly managed keys and credentials, and security misconfigurations.
Malware embedded in container images has been a common security threat, and the images on which the containers are built can have their own security vulnerabilities. In August 2021, Docker, which offers a platform for developing, sharing, and running applications, found five malicious container images with code that secretly mined cryptocurrency using 120,000 user systems.
The federal government has made protecting containers a priority. In March 2021, the Federal Risk and Authorization Management Program (FedRAMP) released the Vulnerability Scanning Requirements for Containers document. This document addresses FedRAMP compliance pertaining to the processes, architecture, and security considerations specific to vulnerability scanning for cloud systems using container technology.
According to the FedRAMP guide, some important risks and threats relative to the use of containerization technology include unvalidated external software, non-standard configurations, unmonitored container-to-container communication, and unauthorized access.
Organizations should implement policies requiring periodic image scanning for these vulnerabilities or non-approved image sources, according to the GSA Guide, which recommends agencies consult the National Institute of Standards and Technology (NIST) Application Container Security Guide for container security best practices.
Container security: An integral part of cybersecurity
The White House’s Executive Order (EO) from May 2021 has already established new requirements for securing the federal government’s software supply chain, outlining the need for automated tools to find and fix vulnerabilities.
As the NIST Container Security Guide notes, traditional vulnerability management tools might make false assumptions about the functions of a containerized model. They might assume that a given server runs a consistent set of applications over time. However, different application containers might run on different servers based on resource availability. Moreover, these tools often lack the capability to detect vulnerabilities in containers.
Lack of visibility into containers means all kinds of security teams are often unable to discern whether there are any issues within the code. And containers are rarely scanned for vulnerabilities before or after being deployed to production.
Since cyberattacks continue to increase as more access points and software vulnerabilities open doors for attackers, we must make container security a critical part of the comprehensive security assessment programs of all agencies, as well as private businesses. To that end, organizations must adopt container-specific vulnerability management and application security tools and processes for images to prevent compromises.
All organizations should deploy a suite of on-demand, SaaS-based testing services that embeds security analysis and testing throughout the software development life cycle (SDLC), allowing DevSecOps teams to test for vulnerabilities from inception and throughout production.
Securing containers requires a “shift left” mentality, which means organizations must fully integrate security into the entire development process from start to finish. Developers must have remediation advice early in the SDLC so that insecure containers don’t ship to production. When placed into production, containers host modern, cloud-native applications, and IT administrators can change configurations to scale workloads up or down, opening new risks. Organizations should secure containers from the start, and once deployed, continue to monitor them to maintain security fidelity.
SBOMs for container images?
A software bill of materials (SBOM) has emerged as an important building block in software security and software supply chain risk management, especially since the release of the Cybersecurity EO. As defined by the Cybersecurity and Infrastructure Security Agency (CISA), SBOMs are lists of ingredients that make up software components. Already, some developers of container platforms are incorporating commands that create a SBOM for their container images.
While SBOMs are important, they are still a new concept. We are watching the progress of SBOMs and emerging standards such as supply chain levels for software artifacts (SLSA), a security framework and check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in projects.
Now more than ever, we now must make container security programs an integral part of an organization’s DevSecOps environment. Analyzing data from 20 million scans and half a million applications, researchers found security flaws in 82% of public sector applications, according to our 12th State of Software Security (SOSS) report.
Container security is about more than enabling efficiency and faster development: it’s a matter of national security.
Brian Roche, chief product officer, Veracode