Resilient Container Security: Why You Need a Preventive Approach

Written by Christina DePinto, Product Marketing Manager, Tenable Cloud Security.

As organizations move to the cloud, container adoption is skyrocketing. A recent study conducted by Forrester Consulting on behalf of Tenable surveyed 825 IT and cybersecurity pros worldwide¹ and found that 32% of organizations are planning to implement containers in the next 12 months, while over a third (35%) have already implemented them and 16% are planning to expand their use.

This staggering adoption of containers brings a change to how software applications are traditionally built, deployed and, of course, secured. In this first installment of our series “Resilient Container Security”, we’ll explain the importance of embedding preventive security into the container ecosystem as part of an exposure management strategy.

Why do we need to treat containers differently than traditional virtual machines?

Containers differ from traditional virtual machines (VMs) in several ways. They are lightweight and have shorter lifespans, making it challenging for security teams to track what is deployed and for how long. Further complicating matters, traditional vulnerability management approaches and separate products can’t easily secure containers in the context of the larger attack surface. Here’s why:

• Traditional vulnerability management approaches during runtime are often ineffective in detecting containers before they disappear.
• Containers often lack the necessary horsepower and access for agent-based and credentialed scans, making it difficult to use traditional vulnerability management techniques.
• Unlike virtual machines, remediation of container vulnerabilities means stopping the containers, fixing the images on which they’re based, and then redeploying them.

The takeaway? There’s a growing gap between what legacy products security teams use and modern solutions that provide what’s actually needed to protect containers.

That DevOps sandbox is teeming with known vulnerabilities

To make matters worse, developers often assemble applications using open-source building blocks that are bursting with known vulnerabilities. According to Slim AI’s “Public Container Report 2022”, the average public container had 287 vulnerabilities, 30% of which are high or critical. Cybersecurity teams are often stuck in an endless cycle of spotting and fixing issues in production – reactive behavior that’s no match for the high-velocity world of containers, DevOps and continuous innovation.

The exposure management approach

To address these challenges, you need a proactive, preventive approach to container security, underpinned by exposure management. Exposure management transcends the limitations of reactive and siloed security programs by combining the people, processes and technologies associated not only with vulnerability management, but other critical areas including web application security, cloud security, identity security, attack path analysis and attack surface management. With an exposure management program, organizations can understand the full breadth and depth of their exposures and take the actions needed to reduce them through remediation and incident response workflows.

The vulnerability management team gets a promotion

Another key step is to give the security team a prominent role in securing containers. While DevOps teams build and deploy containers into production, security teams must be at the forefront of defining the policies that the container images and registries are tested against. That way, each team can embed security into their workflows under governance administered by the security team.

When the security team spearheads implementing a single-policy-framework, DevOps teams will be able to use infrastructure-as-code scanning and policy-as-code best practices to reach better security outcomes.

How security teams take control through prevention

Even when developers practice “shift left” and focus on finding bugs early in the software development lifecycle (SDLC), security isn’t typically part of that process, so most vulnerabilities are remediated after software has been shipped to production. As we’ve learned, this doesn’t work for containers.

With a preventive mindset, security pros can work with DevOps teams to integrate security testing programmatically from within the DevOps toolchain – ensuring security teams are included in the process from the beginning. Further, security teams can broaden the focus of their vulnerability management programs by assessing assets and applications in development in addition to scanning those in production.

In short, security needs to live where developers live – namely the continuous integration and continuous delivery (CI/CD) build systems used to compile and test code – but vulnerability management teams must lead the charge. View the move to containers as an opportunity for your security team to plug into the innovation cycle as applications and services are being created. That way, you’re working to proactively prevent vulnerabilities prior to deployment, when it’s faster and cheaper.

The Forrester study¹ reveals that 74% of cybersecurity and IT pros believe their organizations would be more successful at defending against cyberattacks if they could devote more resources to preventive cybersecurity. When it comes to containers and other short-lived cloud assets, prevention is the only way security teams can truly manage cyber risk. It’s essential to analyze and protect container images, not only the containers themselves, and ensure all base images used by developers are secure and compliant according to a single-policy framework.

¹ A commissioned study of 825 IT and cybersecurity professionals conducted by Forrester Consulting on behalf of Tenable, May 2023

About the Author

Christina DePinto joined Tenable in 2022 and is a Product Marketing Manager for Tenable Cloud Security and Tenable's open-source project Terrascan. Prior to joining Tenable, Christina worked at Siemens Digital Industries Software on the industry marketing team focusing on electronics and semiconductor manufacturing.