Securing the Build Environment: A ‘Critical’ Component of Container Security

As I noted in a previous article, the build environment is a key area on which organizations should focus their container security efforts. Companies don’t usually think of the build environment when it comes to securing their containers. But it’s critical that they do.

Attackers can exploit development practices like Continuous Integration (CI) and Continuous Deployment (CD) to infiltrate the build environment, a setting which is typically less secure than production. There they can alter code or add new containers consisting of malware.

To defend against these threats, organizations need to adopt security solutions that do not limit the usefulness of containers. They also need to focus on both elements of build pipeline security: application security, which involves testing code and containers for conformity with security and operational best practices; and tool security, which consists of evaluating the resources necessary for building and deploying applications.

Below are four elements that incorporate all of the above-mentioned criteria. In so doing, they help organizations maintain build security as a critical component of their container security.

Secure Code Control

Source code control is commonplace, with Stash, Git and GitHub some of the most well-known variants. Personnel in security, operations and quality assurance frequently contribute code, tests and configuration data, so it’s important for organizations to take secure code control seriously. They can do so by running all traffic through a VPN and requiring two-factor authentication (2FA) if not token- or certificate-based authentication for administrative access.

Build Tools and Controllers

Tools like Bamboo and Jenkins give developers many different types of pre-, intra- and post-build options. But such flexibility comes at a cost to security. Fortunately, organizations can protect their tools and controllers by limiting access to them and fully segregating build controller systems on their own networks. They should also consider locking (Read more...)