Containing the application security problem

Written by

The benefit of containers for the easy, efficient and portable deployment of applications has become more and more apparent in recent years, especially where application development and delivery is continuous through a DevOps-style process. The trend has been helped by the availability of open source container implementations, the best known of which is Docker, as well as proprietary ones such as VMware’s ThinApp.

Whereas a virtual machine has all the features required of a full physical device, containers can be limited to just those needed for the application itself; for example, if a given application has no need to store and retrieve local data, then no disk i/o functions need be included. This makes container-deployed applications portable, compact and efficient; many application containers can be deployed inside a single VM. There are also two big implications for application security.

The first is all about how secure the DevOps process and container-based applications are in the first place. Such development often relies on a series of pre-built software layers (or components), about which the developer may know little; their security cannot go unchecked. Furthermore, when deployment is continuous, security checks must be too. This has led to the rise of new security tools focussed purely on container security. One start-up in this area that has been attracting recent attention is Twistlock.

Twistlock’s Container Security Suite has two components. First there is image hygiene, the checking of container-based applications before they go live; for example scanning for known vulnerabilities, the use of unsafe components and controlling policy regarding deployments. Twistlock has announced a partnership with Sonatype, a software supply chain company focussed on the security and traceability of the open source and other components that end up in containerised applications. Black Duck is another software supply chain vendor providing similar capabilities.

Second is run time protection, detecting misconfigurations and potential compromises and, if necessary, preventing a container from being launched in the first place or killing active ones that are considered to have become unsafe. Twistlock has just announced a partnership with Google, where its suite is being closely integrated with the Google Cloud Container Engine. As Google pointed out to Quocirca, problems with deployed applications are inevitable; you have to have checks in place.

Of course, there is nothing new about checking software code for vulnerabilities before deployment and scanning applications for problems after deployment. Broader software security specialists such as Veracode, White Hat, HP Fortify and IBM AppScan have been doing so for years, using the terms SAST and DAST (static/dynamic application security testing) for pre- and post- deployment checking respectively. However, they will need to catch up with the agility of those that have set out to protect the emerging requirement of the dynamic DevOps and containerised approaches. Twistlock and its ilk are potentially ripe acquisition targets as venture investors look for a return.

The second implication for security is that containerised applications can themselves improve software safety through their limited access to resources. If all an application needs to do is crunch numbers, then give it disk i/o but no network access; that way it can read data from a disk but not exfiltrate it, even when compromised.

Some have taken this approach to extremes; for example, two vendors—Bromium and Invincea—use a container-like approach to protect user end points. Bromium isolates every task on a Microsoft Windows device so, for example, a newly opened web page cannot write a drive-by payload to disk as it is not given the access it needs to do so. Some may question the overheads of doing this, but it certainly increases security. Menlo Security claims to keep such overheads down by containing just higher risk activities such as opening emails and web pages. Another vendor, Spikes Security, focusses just on web browsing; its approach is to contain pages on a proxy server before sending on clean content.

Containerisation looks like it is here to stay, helping to enable continuous, agile software development. This throws up security challenges but also helps solve some of them.

Photo © sanyanwuji

What’s hot on Infosecurity Magazine?