Unpacking Containerization Part 2: vArmour, Containers, and DevSecOps

Unpacking Containerization Part 2: vArmour, Containers, and DevSecOps

DevSecOps is a philosophy of software development that understands security risks in a holistic manner. The software AND infrastructure should hardened against threats, and the ownership of security is shared between product managers, developers, and system administrators alike.

Containers are often at the core of the continuous integration, continuous deployment pipeline - they enable a microservice architecture so the software can be fixed and redeployed in an agile way, with a small process footprint compared to running multiple VMs that scales.

For all the benefits containers have, there are some assumptions about the security of these  environments that customers often make...

Assumption Reality
Containers are immutable once they are running. Unless specifically built to be “read only”, containers are live systems that can be altered to do more than the developer originally intended while running.
There is no realistic opportunity for a container to be compromised because they only exist for small amounts of time. Containers can run for as long as they need - this might be quickly, as an application is spinning resources up and down to meet demand, or indefinitely for long term needs like a database.
The underlying host OS is abstracted and unreachable from a container like it is for a virtual machine. Containers provide process isolation, not OS abstraction. The service inside a container is ultimately just another process running on the host OS, and has the same capabilities as any other process if not properly secured.
The network traffic between containers doesn’t need to be understood. The networks are isolated, and the network controls provided by the container configuration are enough to enforce the intent of the developers. Container networks are not isolated without special configuration, and even then, the visibility into their traffic is limited. Container network controls are limited and do not have full layer 7 enforcement.

The larger CI/CD pipeline complicates things even more by multiplying the workloads that DevSecOps needs to protect. In the realm of Continuous Integration our customers have individual developer workloads, source code repos, ticket/project software, build servers, and external resources that house build dependencies; Under Continuous Deployment we see internal container registries, test deployment servers, middleware/messaging, various databases, IT and backend systems (DNS, authentication, logging, health monitoring, jumpboxes etc.), and the core production servers running the containers themselves.

vArmour’s approach to containers, DevSecOps, and risk in general is built on a deep understanding of the technologies underneath, and the needs of the people/teams that use them. This is represented through the following capabilities: 

  1. Deep understanding only comes from deep visibility, so vArmour provides layer 7 inspection of every connection between every workload - container, VM, or physical - across public and private clouds.
  2. We help you interpret and label applications through auto-discovery using port, service, and layer 7 application protocols. These applications can then be placed in a taxonomy so their relationships by function, region, and realm can be visualized. We can also import existing application knowledge from other systems, so vArmour real-time understanding of the network can be compared to your historical understanding.
  3. vArmour DSS provides greater insight about what’s actually happening on your network, so we provide detailed risk reporting for some of the most common critical applications, and the ability to drill into any application, workload, or connection type on demand.
  4. Once a clear picture of how the app behaves is understood and generated, the final step is the need for enforcement of the intent. Intent-based policies that apply to any workload/application/zone let DevSecOps teams stay agile to network changes while maintaining the type of security posture they want. Policy computation allows potential changes to be tested and validated before they are implemented.

To an attacker, any service running on a port or the entire application, is an equal opportunity target regardless of the tech underneath. vArmour DSS can address the micro and macro security needs for every team involved in an organization’s DevSecOp efforts by bringing the most important capabilities into one tool.

Related Posts