Modern Applications Must Consider Container Security Risks

The need for agility and speed when building and maintaining modern applications is changing the development methods companies use. There is a grand embracement of low-code/no-code strategies and a focus on microservices and containers. Unfortunately, some of the greatest benefits of using containers can also lead to security risks. Fortunately, there is a growing awareness of the potential problems, and many are taking steps to avert these problems.

Containers support modern approaches to development and application architectures. They allow large applications to be broken into smaller components and presented to other applications as microservices. They offer great portability across platforms. As such, many businesses are moving to container-based microservices to develop modern applications, including new real-time applications, such as real-time fraud detection, decision support, and enhanced customer service.

The result is a situation where there can be many containers to manage and maintain. Those containers must be managed and scaled over time.  

Popularity grows

Low-code/no-code approaches and containers are thriving due to their benefits.

Low-code/no-code environments significantly cut development time and thus allow for very fast application development. An early industry study estimated that low code environments could potentially shave 50 to 90% off development time versus developing using a coding language. Another reason cited for the move to low code is that it addresses the industry’s chronic challenge in finding skilled staff for development efforts.

Containers are in vogue for many reasons. They are platform-independent. You build a container once, and you can run it anywhere. Container-based architectures easily scale. And containers support a true microservices approach to development. So, parts of an application can be changed or scaled without requiring changes in the rest of the application.

Bottom line: low code and containers simplify application development and speed the development process.

Container security and lifecycle issues

However, businesses must look beyond agile and speedy development. They must address operational challenges to flexibly deploy, update, maintain, and host their real-time apps.

One lifecycle issue to consider is that containers are often created and then freely reused. Over time, the problem here is that new vulnerabilities may emerge, or the container content may no longer represent the state of the art for whatever function it is performing. Such issues are quite common in application development and are not specific to containers.

However, unique container issues have to do with the way containers are selected and the growing cyber threats specific to containers.

A study published by Sysdig earlier this year emphasized the need to “adopt a new workflow that embeds container security into their DevOps processes.” Among the findings:

• Many (40%) container images are pulled from public sources. Yet, few are checked for security vulnerabilities.
• Using data collected from more than 100,000 scanned images, the company found that of those with OS vulnerabilities, 4% of those vulnerabilities were high or critical. For those with non-OS vulnerabilities, 53% have high or critical vulnerabilities.
• Many containers are deployed with common configuration mistakes. For example, 58% of the images were running as root, opening them, and the applications they run in up to abuse if they are compromised.

As an industry, we’ve seen similar issues emerge as new time, and labor-saving technologies were adopted. We’ve dealt with many of the container lifecycle and security challenges in the past with things like virtualization and the use of virtual machines. As was the case then, the way to retain the benefits of containers is to develop sound security and lifecycle DevOps practices.