Container Security Basics: Conclusion

  Jordan Zebor

  Lori MacVittie

Published August 07, 2019

If you're just jumping into this series, you may want to start at the beginning: 
Container Security Basics: Introduction
Container Security Basics: Pipeline
Container Security Basics: Orchestration
Container Secuirty Basicis: Workload

We’ve gone over a lot of material in this series of posts on container security and it’s time to kick back and summarize. 

At this point, you’ve probably noticed some common security themes across this topic. While there are a number of security issues that are specific to containers – like those dealing with configuration and images – most of the basics for container security are techniques you’ve used elsewhere to secure traditional apps and infrastructure. Although the notion of a separate, isolated “management network” is largely disappearing, the use of strong credentials and least privilege security models is not. 

  • Lock the door. Authentication is not optional. Be sure to require strong credentials and rotate them often. Use two-factor authentication whenever possible – especially for privileged access to orchestration consoles and critical infrastructure.
  • Hide your valuables. Don’t inadvertently share secrets (like keys and credentials) out in the open in a repository or easily accessible, shared source.
  • Screen your calls. Not all requests are valid, and some are carrying malicious code. Whether it’s an app or an infrastructure service, inspect and evaluate content for malicious intent. Optimize by consolidating the scan with SSL/TLS termination to offset the slight performance hit. 
  • Patch the holes. If you know an image, service, workload, or other component is vulnerable, patch it. This is especially true for vulnerabilities in externally sourced components because they are high profile targets. This is because it’s a rich field of opportunities when a vulnerability shows up in commonly deployed applications or infrastructure like Apache Struts and requires little investment by an attacker to find and exploit.

We hope this series has been worth the time to read. We know there’s a lot more to cover when it comes to containers and security, but you have to start somewhere.

So, start with the basics. But most of all, start now if you haven’t. As Jordan says, “Customers don’t ask for security, they expect it.”

That’s true of any business, digital or physical. Customers expect security. Don’t disappoint them, and you’ll be on your way to success in this digital and increasingly containerized economy. 

Stay safe.