7 Container Security Best Practices For Better Apps

In 2020, Digital Shadow scanned more than 150 million entities from GitHub, GitLab, and Pastebin and found 800,000 access keys and secrets. 40% of these were for database stores—38% for CSPs such as Google, Microsoft Azure, and AWS. Yikes.

It goes without saying (but I’m saying it anyways) you cannot afford to have your secrets exposed. To keep your secrets secret, avoid writing secrets into the code or in a config file that is pushed into a repository. You can use tools like Git Secrets to prevent you from committing passwords and other sensitive information to a Git repository. To be honest, installing Git Secrets should be a company policy.

Lastly, we recommend leveraging a tool like Amazon CodeGuru Reviewer to inspect your code as your write and notify you of any potential vulnerabilities. The earlier vulnerabilities are detected and mitigated, the less stress (and cost) down the road.

Hardening helps limit potential weakness and reduce vulnerabilities by analyzing container images current security status and then making any necessary improvements. To simplify the process you can leverage hardened images for container operating systems from organizations like the Center for Internet Security (CIS). However, don’t just blindly trust these pre-hardened images—make sure they’re continuously scanned for any vulnerabilities that may have snuck in.

By building pipelines with hardened images, you’re creating standardized base images for all internal teams to use. Scanning base images as your build gives you insights into your evolving security posture and alert you of any new vulnerabilities that may emerge. A reoccurring theme—the earlier you catch a potential problem, the better.

According to Sysdig, 40% of images are pulled from public sources, which can be troubling considering Docker Hub only certifies less than 1% of its millions of hosted images. To secure your image, make sure you only pull images from trusted sources and store them in your own private and secure repository.

Private repositories provide the necessary control for proper access management. Make sure only those who need access to complete their job. Do not run your images as root—this will allow anyone with access to do whatever they want, which for bad guys most likely means injecting malicious code.

Similar concepts apply to securing your artifacts: use a private repo for storage and only use packages validated by the security team.

Use different testing methods throughout the pipeline, instead of leaving testing to the end.

The first testing method is container image scanning, which helps identify software vulnerabilities. Next, use static application security testing (SAST) tools to analyze source or compiled versions of code to help you find security flaws. Lastly, dynamic application security testing (DAST) tools auto-scan web applications from the outside to look for security vulnerabilities like SQL injection, command injection, or insecure server configuration. DAST is usually completed after the application has been deployed to a staging environment.

Ideally, your images should be scanned inline to control your privacy in case they contain credentials by mistake.

As we mentioned, you shouldn’t store secrets in code. So where should you keep them? Utilize a dedicated secrets manager, like AWS Secrets Manager, and regularly rotate your secrets. Your application should be configured to call the secrets manager and access the appropriate secret only when it needs them.

Security operation teams need the entire picture to mitigate threats as early as possible. This is why collaboration is so important. Without help from SecOps, the build process could be stalled due to undetected vulnerabilities.

Since containers are ephemeral, meaning they’re quickly spun up and destroyed, it can be difficult for security teams to monitor and track changes, especially in complex systems with high churn.

Containers also share resources like memory and CPU across one or more hosts, making it challenging to monitor resource consumption on the physical host and get an accurate indication of the container performance or application health.

To help SecOps help you, look into security tools that provide comprehensive visibility without interfering with your job. The right tool should provide sufficient insights into the metrics and logs needed to properly monitor and measure container performance.

Don’t forget to observe the network as well and make sure you’re receiving security alerts so next steps can be taken.

We touched on this briefly before, but access management is extremely important. Follow the concept of least privilege for IAM permissions and roles attached to the pipeline and its components. If someone doesn’t need access to complete a task, don’t give it to them. You should take a zero trust approach to this as well, wherein you never trust and always verify any devices, applications, or users requesting access.

Using infrastructure as code (IaC) is a great way to ensure your app containers are secure when deployed. Just remember to take the necessary security processes here like scanning your IaC templates before deploying, in the event configurations were changed by other teams.