Introduction
Over the last decade the industry has seen a shift from traditional application deployment to a faster Continuous Integration/Continuous Delivery (CI/CD) approach that is causing significant challenges for security teams. These threats on new services, including Containers, Serverless Functions, APIs (Application Programming Interfaces), Source code, Infrastructure-as-Code, and other PaaS (platform as a service) services, differ from what teams are used to with typical server environments. Understanding these new threats and vulnerabilities in the application development process is becoming critical as the adversaries' understanding of the development lifecycle is increasing and making applications more vulnerable.
One of the new services mentioned above, containers, has become a major part of cloud native application development. A container is a standalone package of software files that contains everything you need to run an application, including the application’s code, dependencies, library, runtime, and system tools. Because of this, containers have made application development simpler, faster, and much more powerful. To manage containers, Kubernetes, an open-source platform, is used to make it easy to build an automated set of processes such as application development, deployment, and management.
Despite the benefits of using containers, security teams are being tasked with the new challenge of securing these new cloud-native applications. Unlike traditional compute environments, containerized applications are elastic, spawn, die and re-size rapidly. The container images are immutable, and containers are short-lived, meaning that vulnerabilities are required to be fixed early in the delivery pipeline. To fully secure containerized workloads, a team must secure the containers and the code running within them, software dependencies and libraries, CI/CD pipelines, runtime, and everything in between. The end goal of container security should be to have zero vulnerabilities in running deployments as outlined in Figure 1 below.
Figure 1. Container Pipeline Security
How Does the CI/CD Development Process Work?
Understanding how these development tools work together is vital in understanding how to secure the end-to-end development process, e.g., Pre-Deployment, CI/CD Integrations, Runtime protection. There are many methodologies such as the Microsoft Security Development Lifecycle. Many of these methodologies follow a pattern of using source code management/visual code tools such as GitHub or Azure DevOps to store the source code and is part of the pre-deployment stage. The most common next step is checking the image into things such as a Container Registry. The integration of connecting the pre-deployment stage to the runtime stage is the CI/CD integration. The next step is the runtime piece or the container registry which is a repository that can connect directly to a container orchestration platform including Kubernetes. Kubernetes allows for the automation of deployment, scaling, and management of containerized applications.
Understanding threats and vulnerabilities in the Build and Ship Stage
IaC is code that organizations use to deploy services in a repeatable preconfigured manner, e.g., a server configured a specific way, containers that reside in certain locations, databases sized a specific way, etc. One common vector that adversaries are attacking is the Infrastructure as Code. If attackers can compromise the code that deploys the infrastructure, then they have the capability to introduce new vulnerabilities.
Source code security has come to forefront of security because it is the start of the CI/CD process where threats and vulnerabilities can be inserted. An example of this type of attack was “Apache Struts”. This was a free, open-source framework for creating Java web applications. It had a vulnerability that allowed for remote code execution. Apache Struts was a widely used framework and resulted in many organizations being vulnerable to this type of attack.
Additional areas of concern include developer code that has secrets or credentials that are publicly exposed. Leaving secrets or credentials in code can result in malicious activity such as SQL injections to be successful.
How Do We Protect Against Build Threats?
Implementing protections in the CI/CD pipeline can be challenging and will require organizational changes. The security team needs to be more involved in the earliest stages of application development, including at the building stage. The industry term for this process is referred to as DevSecOps or Shift-Lift. Securing source code requires looking at potential vulnerabilities and whether secrets are exposed in the code could allow malicious activity and validating that safe dependencies are being used. This is where tools such as GitHub’s Advanced Security piece become a vital part of the overall development process.
GitHub’s Advanced security services include a “Dependabot” which looks for vulnerable dependencies or malware in repos. Also included is a tool called “Secret Scanning” that scans repositories looking for known types of secrets, then it alerts developers or block usage of the secrets to prevent fraudulent use. GitHub Advanced Security is included with GitHub Enterprise.
Understanding Deployment and Runtime Threats
Threats in Kubernetes environments can come from six primary areas:
The various threats that Kubernetes environments are subject can be found in Figure 2 below:
Figure 2. Kubernetes Threats
Securing Container Deployment and Runtime
Container deployment refers to the phase of the lifecycle where container images are pulled from the static container registry to be run on virtual machines hosts. During deployment, you should ensure you are following the best security practices listed here:
Container runtime refers to the phase of the lifecycle where containers are running on the virtual hosts. During runtime, the following best security practices are recommended:
How Defender for Containers Can Help
Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. Microsoft Defender for Cloud can help you protect your containers environment from build to deployment to runtime with the best security practices listed in this article.
Microsoft Defender for Containers is a plan within Microsoft Defender for Cloud that offers a cloud-native solution to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications whether they are running in Azure Kubernetes Service, Amazon Elastic Kubernetes Service, Google Kubernetes Engine, or any other Cloud Native Computing Foundation (CNCF) certified cluster. This plan helps you achieve the core aspects of security within the build, ship, deployment, and runtime phases of the container lifecycle:
Build/Ship
Deployment/Runtime
For a single view and deep visibility into the protections that the Defender for Containers provides, you can leverage the new Containers Security Mapping Dashboard.
More Information
To learn more about how Defender for Containers can help you achieve container security with zero vulnerabilities from build to runtime, please leverage the following sources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.