Bolting on security after the fact. It’s been a common approach to software security for decades.
We architect, build code, deploy it and then figure out how to secure it. From the parade of application-related breaches and data thefts over the last few years, we pretty much know this approach does not work.
Automated build pipelines provide the opportunity to include security checks into the build process, applying a range of tests to ensure every time we check in code that there is a single process to validate the application for functionality and security.
Static analysis, composition analysis, dynamic analysis, custom tests for keys and credentials and other simple solutions are available commercially and in open-source. This helps us make the code secure and obviates the need for some external security controls. These tools help you ‘look inside’ containers during the build process and validate content and function so the container has security built in regardless of where it is run.
Automation ensures these tests occur quickly and results are integrated into trouble-ticketing systems and source code control. Once validated, code is placed into secure registries. As a result, only trusted code makes it into production, thereby helping to avoid ‘pre-owned’ images from the Internet.
Containers are not commonly considered an advancement for security. With the move to micro-services, we are breaking down monolithic applications into simpler, easier to manage, and easier to scale components. An application essentially becomes a collection of loosely coupled services.
Containers are an ideal medium for this conversion, as they let us wrap a simple service into a consistent unit of delivery. If you think about it, this helps with security, (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/devops/container-security-docker-kubernetes/