The Container Age Has Security-To-Go as Part of its Supply Chain

The microservice deployment and management stack is proving very effective for companies taking advantage of the cloud’s capabilities to scale and adapt. Containers (often alongside Kubernetes) sit on top of this elastic fabric with agile DevOps and CI/CD workflows that transition code from development to production in short timescales.

A significant problem with the speed of transition from home lab environments to production in just a few years is that container technology is generally DevOps, and not SecOps-focused. The collegiate atmosphere of trust in the broader development community has not so much turned a blind eye to bad actors, but simply not considered the implications of malevolent players’ potential activities.

Last December’s critical severity vulnerability Log4Shell is a good example. This vulnerability allows attackers to remotely execute malicious code on systems that are running certain versions of the Log4j2 Java logging framework. In less than a week, there were almost 1.3 million attempts to exploit the flaw on over 44% corporate networks globally.

Today’s cyber-attacks are becoming increasingly sophisticated. Attackers only need a single vulnerability to exploit and even the most fortified of systems can be compromised. Forrester’s research found that, in 2021, 35% of attacks exploited software vulnerabilities and 32% obtained unauthorized access using supply chains and third parties. 32% of attacks used an application exploit.

Traditional security practices focusing on exceptions, deny-lists, signatures, and vulnerability scanning are not sufficient as they tend to be reactive, focus only on known issues and are unable to scale. In addition, security tools which work based on the premise of a pre-defined security perimeter would not be suitable for containerized applications. The speed and ease of creating virtual networks, hundreds of container pods with ephemeral IP addresses and Kubernetes clusters distributed across data centers, cloud and edge environments blurs the notion of a single security perimeter.

Instead, we need to adopt a proactive approach and implement zero trust security controls. This means untrusting all activities by default. Then explicitly declaring what is acceptable and providing the least number of privileges to your containerized applications. Anything anomalous to what is defined as acceptable has to be blocked. In essence, you are defining multiple micro security perimeters for your containerized applications.

The emergence of DevSecOps roles in many workplaces (CAGR of over 24% in roles in the sector is expected to 2028) shows that many companies are aware that there’s good potential for combining security with your CI/CD pipeline. By shifting security left all the way to the earliest stage of the pipeline, you can dramatically improve efficiency, decrease cost, and produce secure applications.

Right from when container technology began to emerge, native best-of-breed security platforms designed for cloud native applications started to appear. SUSE NeuVector is one of the best-known among these. Its lightweight presence in Kubernetes environments protects applications throughout the container lifecycle from development, through QA, and into production environments. With NeuVector, companies can easily use policy-as-code to create zero-trust container environments that are actively scanned for vulnerabilities. It is able to inspect your container traffic in real time to identify attacks, protect sensitive data, and verify application access to minimize the attack surface. The plus side here for developers is that protection can be assured across the CI/CD pipeline by relatively trivial changes to configuration files. Once achieved, the development environment can be addressed as usual.

To deliver secure digital experiences and gain customer trust, companies must pursue the highest standards in both development and security practice and be prepared for all types of threat vectors. In cloud native development cycles, security must be a concern right from the onset, but it needn’t be a hindrance to the agility that cloud-native technology offers. Cybersecurity platforms such as NeuVector create the type of self-learning, zero-trust environment that makes supply chain security simple, from Dev to Production.

Read more about, SUSE NeuVector.

Vishal is here on LinkedIn: https://www.linkedin.com/in/vishalghariwala/