Container Security Fact Vs. Fiction

One strange consequence of the COVID-19 pandemic is that, since almost all tech conferences in the world have moved online, it’s been easier than ever to attend. That means – in my unofficial straw poll of colleagues in the Dev and cybersecurity sectors – that we’ve all been attending more conferences and gossiping more than ever. And it probably hasn’t escaped your notice that this gossip is focused mainly on one topic – containers.

I’ve lost count of the number of colleagues I’ve heard declare that “containers” – either one aspect of them, or the concept as a whole – are unsafe. Generally, this is expressed in some vague, generalized, philosophical way; at other times, the rumor references any one of a number of common container vulnerabilities. But whichever way it is expressed, it makes for a juicy claim.

That’s because containers are, by all accounts, the Next Big Thing. They are also extremely popular, and usage is growing rapidly – according to Gartner, around 70% of all organizations will be using at least three containerized applications by 2023. If they are unsafe, this means that we may be in the process of building a new infrastructure that will undermine much of the security and safety work we’ve done over the past two decades.

So, with the prime conference season fast approaching and the rumor mill ready to start back up, I’d thought I’d offer my two cents and address some of these rumors directly.

Rumor: Containers are Inherently Insecure

This is the most pernicious rumor about container security going around at the moment, and the one you’ve most likely heard. The thinking behind this idea goes something like this: containers create a secure way for different software components to communicate, which is great. Unfortunately, it’s also possible to connect containers themselves in an insecure way. That encourages developers to build software that leaks critical data as it is passed between containerized modules.

This rumor is easy enough to dispel by applying the simple adage: just because you can do something doesn’t mean you should. Sure, containers make it easy to connect all of your software components together into a messy, insecure mass, but that doesn’t mean that many developers actually do. In other words, just because a development paradigm can be made insecure doesn’t mean that it is inherently so.

That’s not to say, though, that there are not genuine concerns. The rise of malvertising shows that it’s possible to use containerized ad delivery software to distribute malware, and that many personal and corporate firewalls are ill-equipped to deal with the threats associated with containers. This does not mean, however, that we should throw containers out altogether – merely that we should improve our threat detection systems.

Rumor: VMs are More Secure

A related argument goes like this: containers were only developed as a way of emulating true virtual machines (VMs), and “real” VMs are actually far more secure than any containerized system. There are a number of problems with this argument, as well.

The first is that, contrary to what VM fans claim, containers were not developed to replace VMs and certainly not to make them easier to work with. Instead, they were (and remain) a radically different approach to development. Indeed, in many ways, the two approaches are completely contrary to each other – VM models use a device-focused ontology and containers, instead, use a module-based framework.

The second problem with this rumor is more fundamental – does it even make sense to compare VMs and containers in this way? Is it even possible to say that one is “more secure” than the other?

Well, no. In my experience, secure systems are those that have been designed with security baked-in from the start and which are maintained by technicians who understand the code and hardware. Because of this, it’s far more important that staff understand their own, unique systems than the paradigm on which they are built. You can have the most sophisticated system in the world and make it insecure via human error.

So the counterpoint to this rumor is this: if you understand VM security, they are more secure. If you are more familiar with building and maintaining secure container systems, this approach will be more secure and will work better for you.

Rumor: Containers Make Compliance More Difficult

Of the three rumors on this list, this one comes closest to being a fact, but still falls a little short. It’s true, for instance, that developers who have made the move to containers have had some hellish compliance cycles over the past few years.

This, however, is not because containers are inherently more difficult to audit for compliance purposes. Indeed, in many ways, the opposite might be true. Instead, it’s largely due to the fact that auditors (and many outside development teams, actually) are still new to containers. They are unfamiliar with the way they work. As containers continue to be rolled out in more organizations and across more applications, this is necessarily going to change.

For evidence of that, you only have to look at some of the most widely used applications today. Instagram, for instance, is installed on one in four smartphones, and yet manages to fly through compliance processes each time new federal data security guidelines are approved. That’s largely because the company has made sure that compliance staff are kept in the loop during the development process and understand the way that the containerization in the app actually works (or, at least that’s what my colleagues in San Francisco tell me).

Containing the Gossip

Ultimately, of course, these rumors are unlikely to stop the inevitable rise of containers. A survey carried out in 2019 by the Cloud Native Computing Foundation (CNCF), for instance, found that containerization had actually become the new normal, with four in five deployment projects leveraging the technology.

In practical terms, that means that if you are a developer who still harbors doubts about the security of containers, you might be better off learning best practices for securing container images, rather than trying to hold back the tide.

Bernard Brode

Bernard Brode is a product researcher at Microscopic Machines and remains eternally curious about where the collision of AI, cybersecurity, and nanotechnology will eventually take us.

Bernard Brode has 4 posts and counting. See all posts by Bernard Brode