Container security: A refresher
Container security entails securing containerized applications against potential vulnerabilities using various security tools and practices. With the growth in cloud-native applications, there has been a spike in the number of associated vulnerabilities, and since containers serve as the building blocks of these applications, container security has become a top priority.
In response, organizations are focusing on tightening their security posture with advanced tools and practices, which serve as the focus of this post.
What is a container threat model?
A threat model is the result of identifying potential threats and proposing actions to mitigate them. In the context of containers, no one model covers all potential threats. It depends on your environment and the software you host. However, it’s possible to create a threat model by identifying the most common vulnerabilities.
Figure 2 highlights some common attack vectors for containerized apps: vulnerable code, compromised container images, badly configured runtime/orchestrator, secret exposure, insecure networking, and container escape.
Also, it’s worth mentioning that container platforms are never regarded as secure by default. This means that every time you set up a container environment, the first step is to activate necessary security measures.
Advanced Container Security Best Practices [Cheat Sheet]
What's included in this 9 page cheat sheet? 1. Actionable best practices w/ code examples + diagrams 2. List of the top open-source tools for each best practice 3. Environment-specific best practices
Download PDF
Options available for container security
Default security measures in container environments, like those provided by Docker and Kubernetes, offer a foundational level of security, but they often aren't enough. This eventually leads to a company having to integrate external tools to add additional layers of protection and flexibility.
Among the available security tools, open-source tools are widely adopted because they have several benefits including more transparency, cost-effectiveness, and the ability to customize.
As seen in the diagram above, open-source tools can be categorized into eight groups based on the container threat model discussed earlier. The following sections will dive into the most popular tools for each of these groups, with solutions categorized based on their primary specialization. However, keep in mind that the tools included below can often be multipurpose and offer features that span across multiple categories of container security.
Note: We’ll only be covering active open-source projects, as some popular tools are no longer maintained or are not under active development (i.e., Anchore Engine, kube-hunter).
Image scanning/vulnerability assessment tools
These container security solutions are dedicated to inspecting container images and identifying known vulnerabilities within them.
Clair
Clair scans container images for known vulnerabilities listed in databases like the Ubuntu CVE tracker and the Common Vulnerabilities and Exposures (CVE) database. When it comes to container image scanning, the easiest way is to scan the images within the registries (e.g., Docker Hub). However, this comes with limitations, for example, currently for Docker Hub, scanning is only available in private repositories.
Clair comes in handy because it allows both local image scans as well as point-and-shoot scans for images stored in registries. Scanning images locally is helpful mostly in CI/CD pipelines, where you can either push the image to the registry or break the build. On the other hand, the point-and-shoot method directly scans images hosted in registries before pull. This requires Clair and Docker Hub integration, which can be easily performed using the tool Klar.
Trivy
What’s special about Trivy is that it offers more comprehensive scanning capabilities, including images, filesystems, Git repositories, virtual machines, Kubernetes, and cloud services. Trivy also provides configuration auditing and compliance scans.
Trivy has become popular with devs, as it offers an array of functionalities and is easy to use—no need for extensive configuration. Also, it was developed by Aqua Security, a company focused on cloud-native security tools that boasts a whopping 202 open-source repositories on GitHub.
Grype and Syft
Both Grype and Syft were developed by Anchore for two distinct purposes. Grype primarily scans container images and filesystems. It also supports scanning software bills of materials (SBOMs). An SBOM provides a database of all the metadata, components, libraries, and packages that make up a container.
While not a scanning tool, Syft generates SBOMs, which help identify affected components present in the software, thereby assisting with vulnerability management.
Container Security Best Practices
8 no-brainer container security best practices + the key components of container architecture to secure
Read more
Configuration & compliance
Configuration and compliance tools focus on ensuring that containers and container orchestration systems like Kubernetes are configured correctly and comply with security best practices and regulatory standards.
Cloud Compliance: A Fast-Track Guide
Cloud compliance is the series of procedures, controls, and organizational measures you need to have in place to ensure your cloud-based assets meet the requirements of the data protection regulations, standards, and frameworks that are relevant to your organization.
Read more
Kube-bench
Kube-bench, another open-source tool out of Aqua Security, checks the security of your Kubernetes clusters based on the well-established CIS Kubernetes Benchmark. Once the automated checks are completed, you will get a "pass" or "fail" (Figure 4).
Hadolint
You need a Docker file to make a Docker image, and Hedolint is a linter for writing Docker files. It applies rules derived from the Docker community and best practices from experienced Docker users.
Policy management & enforcement
Policy management and enforcement tools are centered around creating, managing, and enforcing security policies across containerized environments. They help in automating governance and making sure security rules are applied consistently.
Kyverno
Kyverno was designed for the popular container orchestrator Kubernetes. It primarily works as a policy engine, with policies written in YAML, to ensure that the deployed containers and Kubernetes resources meet an organization's security, compliance, and operational standards.
Open Policy Agent (OPA)
OPA is a more general-purpose policy engine, not specifically designed for Kubernetes, that can be used across a wide range of software systems.
Note: Policies need to be written in the high-level declarative language Rego. This means OPA has a steeper learning curve compared to Kyverno, but it also comes with more power and flexibility for writing nuanced policies.
Secrets management
Tools for managing secrets are designed to ensure that any sensitive information (e.g., passwords, tokens, SSH keys, certificates) is stored securely, including proper access control.
Hashicorp Vault
Hashicorp Vault is one of the most trusted open-source tools, with over 500 million downloads and around 30,000 stars on GitHub. It’s widely adopted across the world’s largest organizations. Why? Because Vault addresses the pain point of storing and managing secrets by providing a secure centralized platform. Also, it helps with compliance by managing detailed audit logs for any access to and operations on secrets. Vault’s enterprise version for commercial use provides additional security and extended features like easy deployments, disaster recovery, namespace support, etc.
Network security
Network security tools focus on securing the communication channels between containers and services. They enforce networking policies and provide capabilities like network segmentation, firewalling, and traffic control to prevent unauthorized access and to ensure that data in transit is secure.
Project Calico
Like some of the other tools, Calico also has both open-source and enterprise versions. The open-source version offers core networking and network security capabilities for containerized environments, especially Kubernetes. Its feature set includes network policy enforcement, IP address management (IPAM), egress control, and namespace segregation.
Cilium
Cilium is not just a network security tool; it’s a comprehensive networking solution for containerized environments that provides advanced security, observability, networking, and, most recently, service mesh features. Cilium is fully open source, but for large-scale commercial projects requiring commercial support, they provide Cilium Enterprise.
Cilium is built on top of the extended Berkeley Packet Filter (eBPF), a Linux kernel technology that allows programmability for operating systems.
Runtime security and intrusion detection
Runtime security and intrusion detection tools focus on monitoring and protecting containerized apps during execution/in real time.
Falco
Falco monitors and uncovers threats in cloud ecosystems. It’s primarily used for intrusion detection, compliance assurance, and behavior monitoring for containerized apps.
The Container Security Buyer's Guide
Ensure the container security solutions you're considering can deploy the full set of capabilities required to secure the entire CI/CD lifecycle.
Download Now
Security orchestration
Security orchestration tools are designed to automate the integration of various security tools and processes. They coordinate and streamline the execution of security tasks, improve response times to incidents, and enable more sophisticated security analytics and reporting.
Harbor
Harbor is a popular container image registry initially developed by VMware and later donated to the Cloud Native Computing Foundation (CNCF). It extends the standard features of a container registry to security, compliance, and management.
Compared to container registries like Docker Hub, Harbor offers more comprehensive security controls, including role-based access control (RBAC), policy-driven vulnerability scanning, and image signing and verification.
Other security tools
Not all tools fit neatly into the above seven categories. Kubesec, Notary, Greenbone OpenVAS, Grafeas, and Wazuh all offer their own unique capabilities or serve specific niches within the wider arena of container security.
Wiz's approach to container security
While the open-source tools outlined above offer a range of capabilities to secure containerized environments, organizations looking for a more comprehensive, integrated solution may consider exploring Wiz's container security offering. Wiz's container security solution stands out by providing a unified platform that seamlessly integrates with existing container ecosystems, offering deep visibility, and proactive security across the entire container lifecycle.
Key Advantages of Wiz's Container Security Solution:
Comprehensive Coverage: Wiz goes beyond the typical functionalities offered by open-source tools by providing extensive coverage across all stages of the container lifecycle from development through deployment to runtime. This ensures that vulnerabilities are identified and mitigated before they can be exploited, regardless of where they occur in the container environment.
Deep Visibility and Contextual Analysis: Wiz offers deep visibility into the container environment, including detailed insights into container images, configurations, and runtime activities. This visibility is enhanced by contextual analysis, allowing security teams to quickly understand the scope and impact of potential vulnerabilities or misconfigurations, prioritizing issues based on actual risk.
Container Runtime Security: One of Wiz's standout features is its robust protection of container runtime environments. Wiz monitors container activities in real-time, utilizing advanced detection algorithms to identify and mitigate threats as they occur. This proactive stance on runtime security ensures that any malicious activity or anomaly is quickly detected and addressed, minimizing potential damage and ensuring continuous security.
In summary, while open-source container security tools provide valuable capabilities for addressing specific security concerns, Wiz offers a holistic, integrated solution that addresses the complexities and challenges of securing containerized applications in today's dynamic and evolving threat landscape. By choosing Wiz, organizations can benefit from advanced security features, streamlined operations, and a more robust defense against the full spectrum of container-related security threats.
Learn why CISOs at the fastest growing companies use Wiz to uncover blind spots in their containerized environments.
