Don’t Neglect Runtime Container Security

The Web application and service business loves containers, but they present a security challenge. Prevasio has the skills and experience to meet the challenge. Its runtime scanning technology and techniques will let you avoid the serious risks of vulnerable or compromised containers.

The very thing that makes Docker containers convenient — their all-in-one, self-contained structure — makes them opaque to traditional security tests. Instances come and go as needed, sometimes deleting themselves within seconds. This scalable and transient nature isn’t amenable to the usual tools. Prevasio’s approach is specifically designed to analyze and test containers safely, finding any problems before they turn into security incidents.

The container supply chain

Container images put together code from many sources. They include original source or binary code, application libraries,language support, and configuration data. The developer puts them all together and delivers the resulting image. A complex container has a long supply chain,and many things can go wrong.

Each item in the image could carry a risk. The container developer could use buggy or outdated components, or it could use them improperly. The files it imports could be compromised.

A Docker image isn’t a straightforward collection of files, like a gzip file. An image may be derived from another image. Extracting all its files and parameters is possible but not straightforward.

Vulnerabilities and malicious actions

We can divide container risks into two categories: vulnerabilities and malicious code.

Vulnerabilities

A vulnerability unintentionally introduces risk. An outsider can exploit them to steal information or inflict damage. In a container, they can result from poor-quality or outdated components. The building process for a complex image is hard to keep up to date. There are many ways for something to go wrong.

Vulnerability scanners don’t generally work on container images. They can’t find all the components. It’s necessary to check an active container to get adequate insight. This is risky if it’s done in a production environment.

Container vulnerabilities include configuration weaknesses as well as problems in code. An image that uses a weak password or unnecessarily exposes administrative functions is open to attacks.

Malicious code

Malware in a container is more dangerous than vulnerabilities. It could intrude at any point in the supply chain. The developer might receive a compromised version of a runtime library. A few unscrupulous developers put backdoors into code that they ship. Sometimes they add backdoors for testing purposes and forget to remove them from the finished product.

The only way to catch malware in a container is by its behavior. Monitoring the network and checking the file system for suspicious changes will discover misbehaving code.

The Prevasio solution

Security tools designed for statically loaded code aren’t very helpful with containers. Prevasio has created a new approach that analyzes containers without making any assumptions about their safety. It loads them into a sandboxed environment where they can’t do any harm and analyzes them.The analysis includes the following:

• Scanning of components for known vulnerabilities

• Automated pen-test attacks

• Behavioral analysis of running code

• Traffic analysis to discover suspicious data packets

• Machine learning to identify malicious binaries
  

The analysis categorizes an image as benign,vulnerable, exploitable, dangerous, or harmful. The administrator looks at agraph to identify any problems visually, without digging through logs. They can tell at a glance whether an image is reasonably safe to run, needs to be sent back for fixes, or should be discarded on the spot.

If you look at competing container security solutions, you’ll find that the key is runtime technology. Static analysis, vulnerability scans, and signature checking won’t get you enough protection by themselves. Prevasio gives you the most complete and effective checking of container images, helping you to avoid threats to your data and your business.