Virtualization Technology News and Information
6 Tips to Simply Build Secure and Compliant Containers

By: Fernando Cardoso, Trend Micro

Technology start-ups today are primarily born in the cloud with a culture of iteration and speed. The DevOps culture allows companies - whether a start-up or not - to push new features, applications, versions, etc. every few hours or even minutes.

Cloud-based applications that are not bound to a single runtime environment have clear advantages for organizations looking to develop and innovate at speed. Container adoption offers portability, efficiency and high utilization that make it an obvious choice for many developers.

"Every company across the globe is becoming a software company and in order to stay successful, competitive, and secure, they will need to re-think the current cybersecurity strategy for cloud workloads, containers, and serverless environments."

Throughout the build pipeline, agility and flexibility are key, but those are not typically synonymous with security. On the contrary, security may be seen as a roadblock - the heavy, legacy add on that halts DevOps style innovation.

Cloud native DevOps teams may view security as a pesky necessity forced upon them, or an easy-to-ignore afterthought. But it doesn't have to be that way.

Security can serve a great purpose for containers, potentially even making them more effective and higher performing. Addressing security upfront can eliminate problems in the future, helping your build sustain and scale reliably as a projects and applications evolves.

Teams need to find ways to seamlessly add security to DevOps pipelines without creating friction for developers, allowing everyone to work toward their primary goal of helping solve customer problems in creative ways.

Why does security matter in containers?

Let's look at an analogy for security in the cloud to give this some perspective.

While you may not want four tires on their own, they are a required part of owning a car. A car may technically work without them, but it's not going to drive well or last long without tires.

Container security can be thought of similarly. Security may not be something you seek out on its own, but it is a necessary component of an effective container environment to keep it running smoothly and reduce possible security risks in your microservices.

Despite the simplicity of the container itself, the underlying infrastructure can grow to be quite complex. A number of security or compliance-related issues can be introduced when a container is starting up, and if not addressed, the prevalence of the problem compounds as the infrastructure grows in size and complexity.

This can also be considered in terms of the data and information that lives in containers. Whether a business is cloud-native or migrating to the cloud, all types of critical business data is processed in containers. These critical assets would have significant business impact if leaked or exposed from container applications. Additionally, this data may fall under various compliance and regulatory standards that mandate security minimums are maintained.

"Containers offers innumerable benefits for your business and organization, as long you have the right policies and security tools to protect it from possible vulnerabilities, security issues or misconfigurations."

What does it mean to secure containers?

Given that containers simply package existing dependencies in a portable format, why would there be any different or additional cybersecurity needs?

While the common perception may be contrary, cybersecurity is actually very simple. The goal of cybersecurity is to ensure that whatever you build works as intended...and only as intended.

That last bit requires that the definition of a project being "finished" must include testing that ensures the code can't be forced into producing an unexpected output. This includes making sure the infrastructure on which a container is deployed is stable and behaves as expected, without unmitigated vulnerabilities.

With this in mind, the process of securing containers becomes continuous. It becomes an integrated part of the development pipeline - not a never ending, painstaking process.

It should be integrated-like other tests and quality controls-into your development process, automated to remove the number of manual touch points, and extended into the maintenance and operation of the underlying infrastructure.


Examples of security tools that integrate with DevOps pipelines

Container security concerns broadly relate to:

  • The security of the container host
  • Container network traffic
  • The security of your application within the container
  • Malicious behavior within your microservices
  • The integrity of the build pipeline
  • Securing your container management stack
  • The foundation layers of your application
  • Possible vulnerabilities in the platform and dependencies used by microservices

To feasibly manage all of this without impacting dev teams, security operations teams need to reduce the security overhead, quickly detect and remediate issues, and bring visibility across multiple cloud environments without adding too much friction to the current pipelines.

How to secure containers

For simplicity, let's consider an "outside in" approach to securing containers.

1.       Secure the container host

  • Select a container-focused operating system to host your containers. This helps reduce the overall attack surface by removing any services that aren't required to host your container workloads.
  • Add monitoring tools to keep an eye on the health of the hosts.
  • Use a strong set of security controls, like an intrusion protection system (IPS), to monitor and protect the shared resources on the host. An IPS will check each network packet for malicious or malformed content to prevent a potential attack or a Denial-of-Service (DoS) due to all the containers running on that host or node.
  • Include a Runtime Protection security layer on physical or virtual machines to protect the operating system and/or container engines used in hosts. This can help protect against malware and vulnerabilities, as well as ease the audit process using features like file integrity monitoring, log inspection, and application control.

For example, these are a few vulnerabilities associated with Kubernetes. These are mostly associated with recurrent issues in Kubernetes API's that could go unnoticed.

2.       Secure the networking environment

  • Monitor traffic moving north-south, to and from the internet, with controls like an IPS or RASP (Runtime Application Self-Protection) to stop attacks and filter malicious content.
  • Deploy an IPS to monitor east-west, inner-container, traffic. After attackers gain a foothold in a network, they look to move laterally to expand their reach. Monitoring internal traffic is a critical aspect of a defense in-depth strategy.


Container network traffic

3.       Secure your management stack

  • Ensure that your container registry is properly secured and monitored. Automated scanning can ensure each container meets security baselines, and can check for known vulnerabilities, malware, and any exposed secrets before it goes to the registry.
  • Lock down your Kubernetes installation and take advantage of features like Pod and network policies to enforce your security and development standards.

4.       Build on a secure foundation

  • Make sure to review and watch for updates from the project teams regarding any dependencies used in your applications. When they patch their software, you'll need to integrate patches as well to reduce the risk to your application.
  • Use a container image scanner to check for malware, known vulnerabilities, exposed secrets, as well as sweep for custom indicators of compromise (IoCs). This allows you to mitigate any risk before developing further or deploying to production.
  • Integrate the container image scanning with the registries to review all the container images that is being used by your organization.

5.       Secure your build pipeline

  • Prevent malware using strong endpoint controls on developer workstations and to protect against other attacks preferred by cybercriminals.
  • Ensure only authorized users can access code repositories, integrate branches, and trigger builds that are pushed to production using a thorough and consistent access control scheme. This is a critical step to safeguarding the integrity of your pipeline.
  • Remember that the servers running these tools also need to be secured. Seek out a tool with strong security controls and minimal overhead to help meet your security goals.

6.       Secure your application

  • Focus on code quality by making sure all code follows best practices. Most security vulnerabilities are a result of simple mistakes or poor design choices. Simple adjustments up front will pay security dividends.
  • Use RASP controls to help connect the dots between security vulnerabilities and issues in specific lines of code. This helps close the gap during root cause analysis and leads to better overall security outcomes.
  • Check for possible vulnerabilities in the platform and in dependencies used by your applications.


Organizations need to be able to deliver security agility to DevOps through guided principles and frameworks that drive continuous security and compliance for their cloud infrastructure choices. The stability of a container environment depends on it.

Significant benefits can be realized from adopting container technology, but as with any new technology adoption, a strong security plan is a must. Using an "outside in" strategy helps create a step-by-step plan to automate the security of your containers and the build pipeline that creates them.

Applying these recommendations from the beginning will prove highly beneficial in the future of your applications.


***To learn more about containerized infrastructure and cloud native technologies, consider joining us at KubeCon + CloudNativeCon NA Virtual, November 17-20.

About the Author

Fernando Cardoso Solutions Architect, Trend Micro

Fernando Cardoso 

Fernando Cardoso is a Solution Architect at Trend Micro and brings more than 10 years of experience working in the cybersecurity field. Previously, he worked as a Network Engineer and a Sales Engineer, with Datacenters, Cloud, DevOps, and Cybersecurity remaining the center of his passion. In the past four years, Fernando has been involved in numerous Cloud Security and DevSecOps projects

Published Thursday, November 12, 2020 7:26 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2020>