Have you ever found yourself spending hours trying to figure out why your new installation of a database, web server, or Python library isn’t working? If so, you probably understand that using containers can be a good solution for this type of problem.
A container platform, such as Docker, allows developers to install and use pre-built images of their applications, making it easier and faster to run them in different environments. This is known as containerization. In this way, developers can ensure that their applications function consistently across different operating systems and environments, without having to worry about configuration and dependency issues.
Also read: How to increase your container security.
Security Challenges in Containers
Dealing with containers as a solution may seem easy, but there is something that many overlook during this process: security. Containers can be portable and agile, but they can also bring threats to your application environment. Their rapid deployment makes it easy for developers to run them without the appropriate security checks and configurations, for example. In addition, the use of layered images creates a large attack surface that can be difficult to defend.
In this regard, container security is an increasingly growing concern. With the increased use of containerization tools such as Docker and Kubernetes, it has become essential to ensure that these environments are protected against potential threats.
The OWASP (Open Web Application Security Project), a leading application security organization, provides guidelines and resources to help developers and security professionals ensure the security of their containers. Let’s explore how OWASP can provide essential resources in protecting your containers.
How OWASP can help you with container security?
The OWASP SAMM (Software Assurance Maturity Model) is a framework that provides guidelines for ensuring security in various application scenarios, including the use of containers. With it, developers can follow security best practices and avoid potential vulnerabilities.
In addition, OWASP offers additional resources such as threat modeling for Docker and Kubernetes environments, which are useful for identifying risks early in the software development process and ensuring the security of such components.
OWASP also has several other works to help developers ensure the security of their applications, including the Docker-Security project () and the Docker_Security_Cheat_Sheet.
Using OWASP SAMM in conjunction with these resources ensures a comprehensive and effective approach to container security.
To ensure the security of your cloud-based applications, it is crucial to avoid the temptation to place all trust in a Cloud provider. After all, security is a shared responsibility, and it is up to us developers to always be vigilant and prepared for potential threats.
Therefore, when it comes to security in cloud applications, it is necessary to have maturity in development, considering all the contexts involved, from application creation to deployment.
We must overcome the idea that the cloud is insecure or less secure than an on-premise environment. Security is not defined by these characteristics, as there can be security problems in both cloud and on-premise environments.
It is worth noting that large providers may invest more in security tools, which can make cloud security superior in some cases. However, everything depends on a series of factors, including configuration.
Understanding the nuances between Cloud Security and Security in the Cloud
Most cloud security breaches are caused by customer configurations, rather than the Cloud providers. This is reinforced by Gartner, which predicts that by 2025, 99% of cloud security breaches will be the customer’s fault.
Another consideration is the fact that cloud providers typically adopt a shared responsibility model, where both parties have roles and responsibilities when it comes to security. This is reinforced by Amazon’s shared responsibility model, for example.
In summary, “cloud security” focuses on the applications and data that are executed and stored in the cloud, while “cloud infrastructure security” focuses on the underlying cloud infrastructures that support these applications and data.
OWASP Docker Top 10
As developers, it’s important for us to be aware of security challenges involving the use of containers, especially when it comes to Docker. The OWASP SAMM addresses these challenges and provides guidelines to ensure security in Docker scenarios.
One of the practices addressed is environment management, which focuses on keeping the environment clean and secure. This includes elements such as operating systems, containers, frameworks, services, appliances, and libraries.
In addition, when creating Docker images, it’s crucial to follow good security practices, such as using Dockerfile and Docker Compose. It’s recommended to avoid using the ADD command in favor of COPY and to avoid “curl bashing” in RUN directives. These measures can help ensure that the created images are secure and free of known vulnerabilities.
Docker allows us to create custom and reusable images, as well as manage an environment with running containers. This includes communication with external environments and the configuration of pre-established commands during image construction.
When working with base images, we recommend considering reliable sources, such as Docker Hub and ECR. Additionally, care must be taken to avoid vulnerable libraries.
In the running environment, pay attention to network communication security, code, parameters, environment variables, and the entire structure that supports the running container. By addressing these aspects, we can better understand the OWASP Docker Top 10.
The OWASP Docker Top 10 initiative provides a list of ten critical security points to be considered when planning and implementing a secure container infrastructure.
These ten points are listed in order of importance, allowing you to prioritize the most important security measures for your application:
D01 – Secure user mapping
Usually, the application inside the container is run with standard administrative privileges: root. This violates the principle of least privilege and gives the attacker greater chances to escalate their activities if they can break out of the application and enter the container. From the host’s point of view, the application should never be run as root.
D02 – Patch management strategy
The host, containment technology, orchestration solution, and minimal operating system images inside the container will have security bugs. Once publicly known, it is vital for your security posture to address these bugs in a timely manner. For all these mentioned components, you need to decide when to apply regular and emergency patches before deploying them into production.
D03 – Network segmentation and firewall
Proper network planning is crucial. The management interfaces of the orchestration tool and, especially, the host’s network services are critical and need to be protected at a network level. It is also important to ensure that all other network-based microservices are only exposed to the legitimate consumer of that microservice and not the entire network.
D04 – Secure standards and protection
Depending on the choice of host and container operating system and orchestration tool, care must be taken to ensure that no unnecessary components are installed or started. Additionally, all necessary components need to be properly configured and locked down.
D05 – Maintain Security Contexts
Mixing production containers on a host with other undefined or less secure container stages can be problematic. Additionally, mixing, for example, front-end with back-end services on a host can have negative security impacts.
D06 – Protecting Secrets
Authenticating and authorizing a microservice with a pair or third party requires secrets to be provided. For an attacker, these secrets can allow them to access more data or services. Thus, any passwords, tokens, private keys, or certificates need to be protected as best as possible.
D07 – Resource Protection
Since all containers share the same physical CPU, disks, memory, and networks, these physical resources need to be protected so that a single out-of-control container – intentional or not – does not affect the resources of other containers.
D08 – Container Image Integrity and Origin
The minimal operating system in the container runs its code and needs to be trustworthy, from origin to deployment. It must be ensured that all transfers and images at rest have not been tampered with.
D09 – Follow the Immutable Paradigm
Container images often do not need to be written to your file system or a mounted file system once configured and deployed. In these cases, you have an extra security benefit by starting the containers in read-only mode.
D10 – Logging
Keeping a record is a critical aspect to keep an eye on risks. You should enable security logs and audit logs while provisioning the infrastructure, as they help assess security risks related to confidential assets.
Using Conviso Platform to obtain secure containers
Secure Pipeline is a product of Conviso Platform, designed to ensure the security of software applications during the continuous integration and delivery process. It includes a Dockerfile container analysis, ensuring security at all stages of the CI/CD pipeline.
It provides a unified overview of vulnerabilities identified by all security tests in the CI/CD, including SAST, SCA, IaC, and Cloud, eliminating duplications and correlating and prioritizing the results of all scans.
With Secure Pipeline’s Dockerfile container analysis, it is possible to identify security issues, such as defining a user for the container to not use Root directly, as shown in the example below, and quickly act to correct them:
Container security
Container security may be a concern for many developers, but it’s actually not as complex as it seems. By implementing secure practices and using appropriate tools, it’s possible to achieve effective security quickly and efficiently.
To do this, OWASP provides valuable resources for ensuring container security, such as OWASP SAMM, which offers guidelines for ensuring security in various application scenarios, including container usage; and OWASP Docker TOP 10, which is a list of the top 10 container security vulnerabilities and how to fix them. By utilizing these resources, developers can ensure that their applications are secure from the beginning of development to deployment.
Authors:
Danilo Costa – Squad Leader
Evandro Pinheiro de Oliveira – Squad Leader
Gabriel Galdino – Developer Advocate
