Containerization on the rise
The use of containers is growing exponentially as DevOps teams embrace their use.
Developers can easily make small changes to an application and push it out immediately.
The potential to add automatic scalability and orchestration is another favorite container feature because it accommodates flexible workloads. Additionally, since containers are lightweight and portable, they tend to be the ideal operating environment for microservices.
Given that most organizations require faster time-to-market, containers are enabling them to become more agile.
As a result, as noted by Gartner, the current adoption trend is only going to accelerate:
“By 2023, more than 70% of global organizations will be running more than two containerized applications in production, up from less than 20% in 2019.”Gartner: 3 Critical Mistakes That I&O Leaders Must Avoid With Containers
According to a recent report by StackRox, almost 40% of organizations confirm that they develop and release applications faster by using containers.
However, the concerns regarding security are also widespread, with 44% of those surveyed stating that they have delayed moving an application into production due to concerns over security. The security problems can originate from the containers themselves, and also from the applications that run inside the containers.
The regulatory bodies are noticing these issues. In their latest Application Container Security Guide, the National Institute of Standards and Technology (NIST) recommends using solutions that are
“capable of preventing, detecting, and responding to threats aimed at containers during runtime. Traditional security solutions, such as intrusion prevention systems (IPSs) and web application firewalls (WAFs), often do not provide suitable protection for containers.”National Institute of Standards and Technology (NIST), Special Publication 800-190
Container deployments challenge traditional AppSec vendors
The problem is that traditional application security tools simply cannot meet cloud-native security requirements, and these Agile DevOps methodologies are quickly becoming the norm.
Traditional vulnerability assessment tools, such as static analysis SAST and web scanners DAST rely on a “scan” approach, which takes time to complete, and its results are quickly outdated. If speed and scale are a priority, coding cannot depend on the delays imposed by constant testing and false positives.
From the point of view of the protection of containerized production applications from attacks and abuse, the standard approach based on WAFs is not good enough, either. The creation of a security perimeter does not translate well into containers.
It is obvious that a strategy based on the use of traditional application toolsets to meet business demands is less than ideal.
The fleeting nature of containers calls for a new approach to dealing with the security issues that affect the applications within them, a practice that requires them to examine their processes and teams and adapt to this new operational model.
Enter continuous security
Over the last few years, there have been significant efforts to integrate security better into the software development life cycle. This “push left” approach incorporates security from the development cycle’s coding stage.
For “push left” initiatives to be successful, developers need the tools that can help automate and bake in as much security as possible.
This approach becomes more compelling when deploying via containers, as the solution implemented orchestrates security from within the application itself. Shifting left doesn’t get siloed and extends across the entire lifecycle as it continues to operate once the container is in deployment.
The Hdiv approach
Container security practices are important but they will not be enough if the application itself has security problems.
At Hdiv, we advocate the need to embed application security as early as possible during the development lifecycle, coupled with the ability to deliver a continuous and automated way of detecting vulnerabilities in real-time during every stage of the SDLC.
The Hdiv Security vulnerability assessment approach, Hdiv Detection, relies on IAST technology which means continuous, real-time, accurate analysis. These attributes are key to maintain security when applications are deployed to containers.
Similarly, the Hdiv attack protection approach, Hdiv Protection (RASP), is an ideal defense strategy for applications that run in containers. Since the protection becomes part of the server and has full visibility of the application context, it works regardless of the deployment conditions.