SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Security Concerns Remain with Containers and Kubernetes Per New Report

When it comes to organizational growth and the fast pace of doing business, DevOps is a key enabler in the transformation of a company. Containers play a significant role in this evolution, helping organizations to modernize faster by making it easier to deploy applications. No one deploys containers or virtual machines for fun; their purpose is to run applications.

Taking it a step further, Kubernetes, an open-source platform for managing containerized workloads, enables organizations to automate deployments. As a result, development teams can deliver code commits faster and achieve business objectives faster. While containers provide a level of abstraction, deploying the container is not the goal. The goal of every container is to run its contents, the application, or service as a means of supporting the business.

Containers and Kubernetes Multiply Code Commits and Release Cycles

The results enabled by containers and Kubernetes are impressive. Per a new report from StackRox, “The State of Container and Kubernetes Security Report,” almost 40% of organizations say they can develop and release applications faster by using them. These successes have not gone unnoticed, as the number of containers running in production jumped from 22% to 29% in the past six months—a growth rate of 32%. 

Yet, the rapid adoption rate of containers and Kubernetes is only half the picture when it comes to security. Nearly half (44%) of those surveyed in the StackRox report said they delayed moving an application into production due to concerns over security of containers or Kubernetes. This is a bit ironic, in that those same organizations embraced containers and Kubernetes in order to speed application release cycles. The other half of the picture is what goes inside the container, essentially its raison d’etre.

Security Concerns Around Containers and Kubernetes Slow Development Cycles

Concerns about security don’t seem to be falling as containers gain greater adoption. In last year’s “The State of Container and Kubernetes Security Report,” from StackRox, their research team explains, “Despite having a greater percentage of containers in production, organizations have only modestly reduced their security concerns. Worries about misconfigurations and runtime risks persist, and still too few organizations have a robust security plan in place.”

This year’s report corroborates their unease: 94% of those surveyed indicate they experienced a security incident in their container and Kubernetes environments in the last 12 months. Organizations aren’t immune to issues during runtime either. More than one out of four (27%) had a security incident during their runtime environment, and another 24% had a major vulnerability to remediate. 

So, what is the cause of container and Kubernetes security issues? According to this year’s report, misconfiguration tops the list. But when misconfigurations are combined with vulnerabilities or security events in runtime, the risks multiply. For example, 18% of organizations in the study reported both a misconfiguration and at least one vulnerability in the last 12 months. The authors explain that, “This combination is critical because a misconfiguration by itself might not be harmful but, when compounded by an exploitable vulnerability, for example, it can pose a much greater risk for a breach.”

Security Takeaways from the Report

Following are some of the key takeaways from the report:

Lack of security investments is top concern

For the third consecutive year, inadequate security investments in containers tops the list of container concerns in the report. However, it is encouraging that organizations are increasing their container strategy maturity. In 2018, StackRox found that 34% of organizations felt their container strategy was not detailed enough. This number dropped to 22% today. With containerized applications ranging from those in build and deployment to runtime (or production), security and development teams need to look for an application security (AppSec) platform that consolidates disparate security toolsets while providing full visibility across all applications and the containers and microservices that power them. 

Runtime worries are growing

While there is growing emphasis on shifting left and extending right, organizations remain concerned about their runtime environments. Indeed, the numbers spiked this year over the previous two years of the StackRox report—rising from 43% last year to 56%. Compared to security concerns for build and deployment stages, 15% and 29% respectively, this is a substantial data point. To overcome these challenges, with misconfigurations and vulnerabilities key contributors to the security risks in runtime, organizations need to focus on an integrated AppSec model that addresses assessment and protection. 

Security and DevOps skills shortage creates challenges

The demand for skilled developers and security professionals continues to grow rapidly. Indeed, there is a discernible skills shortage for both functions. The cybersecurity skills shortage is well known. The latest (ISC)2 report on the topic concludes that the global cybersecurity workforce will need to grow at a clip of 145% to meet the global demand for skilled cybersecurity professionals.

The StackRox report reaches similar conclusions for development teams, where survey respondents admit to an internal skills shortage as well as steep learning curves around Kubernetes. Even developers who work with containers may not know how to use Kubernetes, let alone how to secure containerized applications managed by Kubernetes. Ad hoc security approaches simply cannot scale with the volume of code development and release cycles of modern DevOps teams. Further, hiring more development and security staff is not a viable response in the face of severe security and development skills shortages.

In response, organizations need to look for an AppSec approach that integrates security into the application using instrumentation. This same approach must obviate the need for security expertise and training, but rather enable developers to manage security within the application.

Shift left translates into automation, continuous AppSec requirements

One of the conclusions of the StackRox report is that container and Kubernetes deployments must involve developers, DevOps, and security teams. A shift left necessitates that organizations build security into applications during the build stage of the development cycle. But this requires a rethink of traditional AppSec where coding must be repeatedly halted and restarted for static application security testing (SAST). Instead, instrumentation-based AppSec delivers continuous, automated, real-time identification of vulnerabilities and verification of their remediation. Instrumentation is effective because it operates within the container, protecting what the container was built to run. To paraphrase “DevSecOps evangelist” Bruce Springsteen, “baby code was born to run.”

A New AppSec Platform for Containers and Kubernetes

There are some really exciting advancements taking place in DevOps. Leveraging digital innovations such as application containers and Kubernetes, organizations are committing more code and speeding development cycles. Yet, as is often the case with digital transformation, these advancements come with challenges—security in this case. Many organizations have legitimate concerns about security and are delaying application deployment and slowing code commits due to them.

To address these concerns, organizations need a DevOps-native AppSec platform that extends continuous security assessment and protection across build, deployment, and runtime environments. Further, security is managed from within the application and does not require specialized security skills.  

Erik Costlow, Developer Relations

Erik Costlow, Developer Relations

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.

SUBSCRIBE TO THE BLOG