8 tips for securing containers from source to runtime
Sarah Conway
August 24, 2022
0 mins readToday we’re announcing a new container security cheat sheet and report — created in collaboration with our partner Sysdig.
In this post, we’ll outline tips to help you successfully navigate the challenges of container security with a focus on three core principles:
Build secure from the start
Protect against runtime threats
Prioritize security alerts that matter
Traditional security approaches are incapable of handling the distributed and ephemeral nature of containers. A different approach is emerging that focuses on secure code, runtime scanning, and threat prioritization. Here are 8 best practices for implementing this modern approach to container security:
1. Code security
Source code is where developers have the most control, so application security should start at home. Source code scanning tools that spot issues early in development and provide ongoing code monitoring offer an efficient way to accomplish this. By working directly with the tools that developers use day in, day out and integrating security scans into existing workflows, developers can automate the process of finding and fixing issues.
2. Open source security
Open source code introduces security risks since you’re relying on other developers to maintain the package. To mitigate these risks, developers need to be able to identify and fix issues in the packages they’re consuming. Software composition analysis (SCA) tools help developers track dependencies by flagging any issues by referencing a vulnerability database.
3. Image security
Containers provide a standardized way to package applications, but container images themselves can be a source of vulnerabilities. Image security requires:
Identifying a trustworthy, minimal base image that provides the functionality needed without extra bloat
Automatically scanning images in the CI/CD pipeline
Monitoring running containers for newly discovered vulnerabilities or updates
4. Runtime security
Containers are opaque and 44% live less than five minutes, so securing running containers can be tricky. Look for a runtime security tool that:
Monitors containers in a lightweight way (such as using audit logs)
Delivers insights and context about security events
Allows you to automate policies and response actions
5. Network security
Enterprises are increasingly moving to a zero-trust approach to network security, but classic firewall approaches fail in dynamic, cloud native environments. Network security needs to go beyond the physical communication layer and use native controls like Kubernetes Network Policy. Look for solutions that allow you to:
Map network topology
Establish baseline policies
Automate new policy generation
6. Kubernetes and cloud security
Infrastructure as code (IaC) often introduces misconfigurations. End users often implement configuration changes to make it easier to carry out tasks, but these might not be secure. Or default configurations might not be in-line with organizational security protocols.
IaC security focuses on detecting and fixing these configuration issues as early as possible, often using a policy engine such as Open Policy Agent (OPA) for governance and compliance.
7. Vulnerability prioritization using runtime signals
Developers can be overwhelmed by the number of vulnerability alerts they receive from security and operations teams. By identifying the software packages that are actually executed in the running containers, developers instantly eliminate up to 95% of the vulnerabilities they would otherwise have to consider.
8. Security from code to runtime with Snyk & Sysdig
Snyk finds and automatically fixes vulnerabilities in your code, open source dependencies, containers, and IaC. Purpose built to work with the processes and tools developers use every day, Snyk cultivates a collaborative security approach that scales and aligns with the iterative DevOps model, even as security teams remain lean and stable.
Snyk and Sysdig integrate to help developers secure code and containers in development, protect the runtime Kubernetes environment, and deliver feedback and visibility from production back to developers, eliminating the noise of container vulnerabilities.
Want to dive deeper? Check out the full checklist,“Container Security from Code to Runtime,” on securing containers from within the development pipeline.
Developer-first container security
Snyk finds and automatically fixes vulnerabilities in container images and Kubernetes workloads.