Security Experts:

Misconfiguration a Top Security Concern for Containers

Report Demonstrates that Security Needs to be Included in Containerization

Although the acceptance and adoption of containers within DevOps is growing, concern over their security remains strong. Thirty-five percent of respondents to a new survey believe their company does not adequately invest in container security, while a further 15% don't think their company takes the threat to containers seriously.

The survey (PDF) was undertaken by StackRox among 230 IT staff -- almost half of whom identify IT security as their primary role. More than 45% are employed in companies with more than 10,000 employees, while 58% are employed in either the fintech or technology sectors. The StackRox inaugural report, 'The State of Container Security', found that most organizations feel unprepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes. 

Docker is the most popular container runtime, used by 189 of the respondents. Kubernetes, originally developed by Google, is the most popular container orchestrator, used by 122 of the respondents. Docker Swarm is the second most popular orchestrator, used by 93 of the respondents primarily from the larger organizations with 5,000 or more employees.

Forty percent of the respondents operate their containers in a hybrid environment -- both on prem and in the cloud. Twenty-eight percent are cloud only, while a surprising 32% are on premise only. Of those containers in the cloud, 118 of the respondents use AWS, 56 use Azure, and 39 use Google Cloud Platform. "This ranking would be a bit surprising given Google's industry leadership in container usage and Kubernetes," comments the report, "but is less surprising given the dominance of large enterprises in our survey pool."

Misconfiguration within the orchestrator is the biggest security concern at 54% of respondents. These concerns cover both the Docker containers and the Kubernetes orchestrator, Wei Lien Dang, VP of products at StackRox, told SecurityWeek. "Among the best known 'container attacks' are the Tesla cryptomining incident on AWS and the Shopify published vulnerability around metadata. Both of those issues stemmed from misconfiguration of the orchestrator."

In February 2018 it was disclosed by RedLock that a Kubernetes container run by Tesla on AWS had been hijacked and used for cryptomining. Once discovered, Tesla was able to lock down its servers within a day. It's not that Kubernetes cannot be made secure, it is the complexity and granularity of required access to containers that becomes difficult -- and it is this that leads the survey respondents to be concerned about misconfigurations.

"The security challenge for Kubernetes is not the access directly to the platform to log in and launch an attack," explains Wei Lien Dang. "Rather, it's that Kubernetes often accidentally gets configured with exposed pieces -- the dashboard, for example, or the metadata will be accessible, and itís via those misconfigurations that attacks can happen."

This is exacerbated by the tendency for containers to be under the aegis of DevOps, and for DevOps to not necessarily include security team involvement.

"The group using containers and configuring Kubernetes most often is DevOps," he continued. "The challenge is for the Security team to be involved in setting the policies and guidelines for securing that infrastructure. The goal of any container security solution should be to help Security bridge into the DevOps world -- providing the security oversight and guidance but leveraging the tooling and processing of DevOps."

Like many powerful platforms, StackRox believes that Kubernetes is best served with an abstraction layer on top. StackRox acts like that security abstraction layer highlighting misconfigurations and pinpointing risks like unnecessary open communications paths that leave assets at risk. 

Commenting on the findings of the survey, Mark Bouchard, co-founder and the COO at research and consulting CyberEdge Group, said, "Human error has been responsible for creating the majority of security risks in every wave of infrastructure change, and it's no different with containers and Kubernetes. It's crucial that the security tooling for this infrastructure automatically flags the most well-known misconfigurations across the full ecosystem."

"StackRox helps with both asset management -- simply identifying the breadth of containers deployed -- and securing the containers and Kubernetes environments," explains Wei Lien Dang. "The StackRox Container Security Platform helps secure the images themselves and assess risk during the build process, harden the environment and reduce the attack surface during the deploy phase, and find and stop malicious activities during the runtime phase. The tight integration between the StackRox platform and Kubernetes and the container ecosystem enables security be operationalized across the entire life cycle."

This would be best managed by the security team. Concern over the security of containers should be the spur to transform company DevOps into company Security DevOps.

"The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprisesí container strategies," said Kamal Shah, StackRox CEO. "Containers provide a natural bridge for collaboration between DevOps and security teams, but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise."

Founded in 2014 and headquartered in Mountain View, California, StackRox raised $25 million in Series B funding in April 2018, bringing the total raised to date by the company to more than $39 million.

Related: More Than 21,000 Container Orchestration and API Management Systems Exposed to the Public Internet 

Related: Microsoft Patches Critical Flaw in Open Source Container Library 

Related: Code Execution in Alpine Linux Impacts Containers 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.