One major advantage to containers is they make it possible for developers to package applications so they’re more productive. One major disadvantage is ensuring those containers comply with security policies.
To help solve that issue, Anchore has updated its free container navigation service, Navigator, to include a container image scanning capability that can be applied against containers stored in DockerHub. Later this quarter, Anchore plans to add support for other container registry platforms.
Anchore CEO Saïd Ziouani says the Navigator service provides detailed content, security and compliance status for container images, including frequency of updates being made to images. In fact, DevOps teams can subscribe to notifications to stay informed of any changes made to an image, he says.
Ziounani notes the trouble with containers, from a compliance and security perspective, is they essentially create the digital equivalent of a black box. IT operations teams need to be assured that the container being implemented in production is the most secure available based on when it was last updated against known vulnerabilities. Previously, Anchore made it simpler to discover containers, but the added scanning capability means IT operations teams can extend the Anchore Navigation service into the realm of vulnerability and compliance management, he says.
In general, DevOps teams are struggling with container security on multiple levels. Everything from the way applications based on containers are updated and replaced to the sheer number of places containers can be accessed from requires them to review how security policies are crafted and implemented. In some cases, the absence of those security policies winds up in a situation where organizations can’t deploy applications based on containers in a production environment.
Unfortunately, most IT security teams don’t have a firm handle on all the security implications associated with adopting containers. In theory, container should make applications more secure by better isolating code. In practice, the processes associated with managing the software being deployed in a container is still immature.
To address that issue, IT security teams will need to integrate more into DevOps processes. More applications are being built faster. But to make sure no shortcuts are being taken to secure the code inside those containers, a coherent set of policies that a DevOps team can implement must be in place.
Of course, no one can manage what they can’t see. The first step to implementing a security policy is discovering where a container is and what’s in it. Otherwise, the security policy becomes yet another item in a long list of best practices that gets ignored in the rush to get code into production.