BLOG – Container Orchestration in DevSecOps

February 12th, 2022 BLOG – Container Orchestration in DevSecOps
Farhan Hussain
VP, Hybrid Cloud Practice

 

Containers use a fraction of the bytes that a Virtual Machine does. They take only seconds to deploy and need far fewer resources too. So, it’s no wonder that 70 percent of developers now use a container orchestration platform. And it’s no surprise that they can release applications and remediate issues faster as a result.

While not a brand-new technology, container orchestration is fast gaining maturity. And given it impacts multiple teams, successful implementation requires cultural and operational change. This is especially true when you look at security, which is no longer isolated to the deployment end of the development lifecycle.

To get the most out of your container orchestration, you need to integrate security earlier into the process. But to understand how and why, let’s first take a closer look at how containers work.

What are containers and container orchestration?

 

Containers are packages of software that include all the necessary resources to build and run software processes, microservices, and applications. Container orchestration then automates their operation so that a development team can manage all stages of the container’s lifecycle from any virtual environment.

Because containers are more lightweight than Virtual Machines (VMs), teams can operate dozens of them at the same time. And because containers isolate processes rather than workstations, they can share data for more intelligent development.

And it’s this capability that impacts security.

Containers and their security challenges

 

One of the main benefits of containers is their ability to share resources. Unfortunately, this can cause them to expose each other to vulnerabilities. So, if one container gets breached, a whole cluster can be at risk.

The more processes you have, the larger the attack surface will be. As such, you need to limit communication between containers. And this gets challenging when they’re already up and running.

To benefit from the agility of containers and keep your network safe, you need to apply a security strategy at the very start of your development. And this needs all teams across your organization to get on board. You then need to bake this strategy into every stage of your software development lifecycle (SDLC), so you’re preventing risks rather than just dealing with issues when they arise.

4 container security best practices

 

The use of containers affects all teams across the development space. It creates more agility for developers while enabling more frequent QA testing. Containers also ease the burden for operations thanks to their small size and ability to run in any environment.

Moreover, the right strategy can enhance the security of your development process from the start and ensure a better end product as a result.

Let’s look at four best practices to help you do this.

1. Shift application security left

 

Because containers are small and can run from any virtual environment, they’re a popular choice for developers. But they can expose networks to vulnerabilities. And when your security team steps in to address them, projects can end up with bottlenecks.

Shifting application security left means embedding security into your SDLC. This requires a cultural shift as it relies on frequent input from teams across the organization. Security and QA teams, for instance, will run tests and analysis often. Then they can provide feedback to the operations and development teams and allow everyone to remediate issues early on.

2. Secure the container

 

If you’re seeking to embed security into your SDLC, securing the container is crucial. Namespaces will segregate your resources, controlling what each container accesses with specific IDs.

Cgroups will then give you granularized control over the resources within the containers. They allow you to organize processes into hierarchical groups, so you can monitor resource use. You can, for example, configure a cgroup to control how much memory a process uses, or even freeze all the processes within a particular cgroup.

That said, you’ll need to integrate detective measures for container security too. Frequent image scanning will allow teams to identify any secrets in your images such as passwords and API keys so you can take measures to protect them.

3. Secure the infrastructure

 

Container orchestration was not designed with security in mind. To control access to your containers, it might be necessary to deploy an external user database. Once you’ve done this, there are a couple of simple measures you can take:

  • Implement the Principle of Least Privilege. This will limit container access to only those who need it. You can apply controls according to a user’s role, their location, or even the time of day they’re attempting access.
  • Whitelist behavior and processes. Using heuristics, you can establish the exact hash and code that your developers are executing. In this way, you can create and whitelist a list of known processes and identify abnormal behavior.
  • Centralize and monitor. Identifying a breach will be next to impossible if you don’t know who should be accessing your containers in the first place. Creating a storage system for your secrets will put them upfront, enabling you to manage and monitor them from a centralized location.

 

4. Use automation

 

In the development space, the number of containers can quickly expand. This can make their security difficult to manage.

This is where you can use automation along with your container orchestration platform.

Automate scanning

As we’ve already mentioned, it’s crucial to scan images to expose vulnerabilities and identify secrets. If you integrate automated scanning into your CI/ CD pipeline, a new image getting pushed into your registry can trigger a scan. This will ensure that images containing vulnerabilities don’t run and allow you to address threats faster.

Automate patching

With containers, you patch the images in your registry rather than the container itself. This means that you can roll out the patched image as one unit, and that this becomes synonymous with your code rollout process.

Triggering an automated response to a container dying will spin up another one and roll out the patches into your infrastructure. As containers have a short shelf life, this can be a frequent occurrence, making full patching across your system quick and painless.

Automate policies

Defining parameters to detect unusual patterns is vital. But it’s unreasonable to expect developers to have the time to do this, especially with new images getting pushed into the registry so often.

Establish a baseline of acceptable behavior, then train a Machine Learning program to scour your audit logs and flag abnormal behavior. This will also enable you to identify threats in real-time and mitigate any damage more quickly.

Streamline security in your SDLC

 

Containers and container orchestration deliver more opportunities for innovation in the development space. But without the right security baked into your SDLC, your projects and infrastructure will be at risk.

Knowing how to use your container orchestration platform to your advantage will enable you to streamline your security. Integrating it into your agile development process then means faster release times of better end products. Our four best practices give you a roadmap to follow, but if you need further guidance, just reach out.

Axcelinno, LLC was acquired by Mainline Information Systems on January 31, 2023.

Mainline