Container security, DevSecOps

An Easier Way For Security To Keep Pace

Share

[adrotate banner=”36″]

 

This post was authored by Michael Santarcangelo, founder of The Security Catalyst, host of Business Security Weekly, and former contributing editor for CSO online. This post is sponsored by Layered Insight.

 

Are you feeling overwhelmed? Struggling to keep pace?

Security must adapt to the constant shifts across our ecosystem. At the same time, the adoption of agile and similar approaches moves faster than security can. Many organizations struggle with monthly scans and the resulting actions they require. Modern container approaches require daily scans. The result is often a lot of friction between teams and frustration around security.  “The next wave of security is all about protecting applications, users, and data,” says Matt Alderman, Chief Strategy & Marketing Officer at Layered Insight.  “Our focus is protecting the application, which means protecting containers at runtime. By embedding security within the container, Layered Insight solves the portability and scalability challenges of other container security solutions without impacting development or operations.”

 

Embrace the changing role of security

 

The role of security is changing from operations to governance. This means guiding internal teams and third parties. It puts importance on the knowledge and skill of security professionals while supporting other teams to move at the pace they need. This change also reveals the challenge of existing tools to provide the visibility and control needed to fulfill the governance role. The solution lies in embracing the technology and approaches of the teams we support.  The container becomes the focal point for security because it’s the central foundation for the application. Containers are the bridge to actually build security into the process.

 

What it looks like when done right

 

The right approach to containers catches security up without holding anyone back. It takes a combination of empowering developers to scan and fix on their own and building security into the process. Developers build. When ready, they scan their build and get rapid feedback on any needed changes. This approach keeps pace with developers while letting them address security concerns as part of the development process. The key is injecting security into the container image with the visibility and controls baked in from the start. As a result, the orchestrator only picks up properly scanned and instrumented images.

 

Even more benefits from this approach

 

Most people deploy containers in virtual machines. Why? Because security is embedded in the virtual machine. Of course, this defeats the purpose of using containers. That’s why we need to embed security into the container. No more curious violations of least privilege in an effort to enforce security. The benefit of embedding security into the container is a dramatic reduction of friction between teams and a cost savings on the operation.

As Richard Seiersen, CISO at Lending Club explains:

 

“Security with low friction and low cognitive load wins in a software defined world.  If your capabilities create development drag and restricts deploy – you and those you protect will lose.  Layered Insights security model targets this reality with a “deploy fast anywhere” intent.”

 

Make the changes now to overcome friction

 

Instead of struggling to keep pace, act now to reduce friction and improve results. Gain the visibility and controls you need to boost your security posture. Adopt the right approach to container security by empowering developers and building security in. Too good to be true? It’s easier than you realize. Our Security Weekly Partner, Layered Insight, shows you how. Matt Alderman has created a series of short videos, blogs, and eBooks to walk through the process.  To learn more, visit layeredinsight.com.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Researcher for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.