As most security pros know, application containers — Docker, rkt, etc. — and the orchestration elements employed to support them, such as Kubernetes, are used increasingly in many organizations.
Often the security organization isn’t exactly the first stop on the path to deployment of these tools. (If it was in your shop, consider yourself one of the lucky ones.) Instead, usage tends to emerge from the grass roots. It starts with developers using containers on their workstations to streamline unit testing and environmental configuration; builds traction as integration processes adapt to a more “continuous integration” approach facilitated by containers; and ultimately gains acceptance in the broader production landscape.
In short, as is often the case, many security pros find out about the usage when their organization is already waist-deep in it.
This puts security practitioners in a bit of a rock-and-a-hard-place situation. Not only do we need to secure the container runtime and orchestration environments — we need to do so at the same time that we provide assurance for the applications, supporting libraries, middleware components, etc., stored inside those containers.
We need to do all of this without sacrificing the quality or rigor of efforts in other areas, while building expertise on the nuances of the different container engines, orchestration environments, microservice architecture approaches, and cloud technologies that support their use.
Sound challenging? You bet it is.
This means that security pros — particularly those on the more technical end of the spectrum — need every advantage they can get when it comes to securing containers. Any “force multiplier” helps: automation, discovery and visibility tools, better monitoring, etc.
There are numerous commercial tools out there that can help in these areas (and in many others), but sometimes you need help right now. You may not be able to wait for a budget cycle to buy a tool off the shelf. In that case, open source options can provide an on-ramp without waiting for budget.
What’s in That Container?
Now, there are a few open source tools that are making a splash in the container security world, but the one I’ll focus on here is Anchore Engine, which targets a challenge many organizations have: specifically, unpacking, validating, and providing assurance for container contents.
Anchore Engine is an open source (Apache License 2.0) project that can help you in two ways, out of the box. First, it will give you an analysis of what is inside a given container. This includes providing an inventory of software — both operating system components and supporting packages — and artifacts like JRE versions, intermediate libraries, etc.
“Anchore Engine is an open source tool for performing deep inspection of container images,” said Ross Turk, Anchore VP of marketing. “These images can contain a whole lot: operating system packages, language libraries, credentials and secrets, and configuration that affects how the resulting containers are executed. Anchore Engine flattens and unpacks the image, layer by layer, and inventories what’s inside.”
This information is valuable not only because it provides information on what software may need to be updated in the event of security patches or updates, but also because it gives you visibility into the implementation of applications and services before, after, or during their release into the production environment. It can inform software architecture reviews, threat modeling, conversations about secrets management, audit activities and design reviews, among other things.
It’s also useful because it can help you understand where issues might be in individual containers. For example, you can use it to analyze what vulnerabilities (categorized by CVE number) are present on the container by virtue of the software installed.
In a way, it’s similar to getting vulnerability scan results for your containers; however, unlike vulnerability scanning, the container doesn’t need to be “live” to gather this information. So if you have a serialized container (for example stored in a registry or on a developer’s workstation), you still can gain information about what vulnerabilities might impact the software on those containers.
Integrating Into Your Environment
There are, of course, numerous other tools that do similar things — some commercial as well as other open source options. Regardless of whether you are already planning for or evaluating other options to do this, one advantage that an open source option provides (and where Anchore Engine excels) is that you can kick the tires and get started right away.
There are two advantages to this. First, there is immediate security value without the need to wait for a budget cycle or a lengthy integration cycle. It’s an ideal stopgap, even if you ultimately choose to investigate (or go with) another product offering. You can get an idea for the value provided by tools like this, and you can start gathering information immediately.
The second advantage is that it lets you experiment. You actually can experiment with where and how to integrate the data provided by the tool into your release pipelines or operational processes.
Keep in mind that there are numerous options here. You might decide, for example, that you will focus on the left side of the equation and enable developers to examine and evaluate containers themselves — for example, by training them on how to minimize unneeded supporting code, stale libraries, unnecessary packages, or known-vulnerable versions of software.
Alternatively, you might decide that the functionality is most valuable in your CI/CD pipeline, and you might write scripts to automate evaluation as container images make their way through. Lastly, you might decide that you want to gather better information about container images already in production, and use the tool as a way to gather information about what you already have deployed.
Turk outlined how — and why — organizations can get started with usage.
“We believe that deep image inspection should be a best practice for all those who work with containers,” he said. “Anchore Engine is free and open source and can be easily integrated into any CI/CD system. There really is no reason not to scan images before you publish or deploy them, and Anchore Engine comes with an out-of-the-box policy that can raise an alarm for the most commonly encountered vulnerabilities. We recommend that all developers integrate image scanning into their workflow, ideally through one of the many available CI/CD integrations.”
Regardless of where and how you decide to employ it, there is a rapid on-ramp. You can get up and running with five bash commands on a system with connectivity and Docker Compose already installed. No initial dollar investment is necessary to get started. How can you beat that?