In the 1940’s, polyethylene, a new type of plastic was discovered. Earl Tupper, a chemist by trade, immediately knew that this discovery could change the world. He introduced lidded bowls, and sold his company in 1958 for millions of dollars. But this was only the beginning. Tupperware was soon everywhere… from your mother’s kitchen, to the Simpsons.
Containers in an organisation’s architecture are a lot like that.
Containers are everywhere
Everyone who wants to scale has used them, and continues to use them simply because of how convenient and useful they are. The 2019 Container Adoption Survey (by Portworx and Aqua Security) stated that over 87% of its respondents ran container technologies. Of those running applications in containers, nearly 90% ran them in production, up from 84% in 2018 and 67% in 2017. So yes, most companies use containers.
However, not all those who run this tech understand how to deal with its challenges efficiently.
Problem #1: We need more security around popular deployments
Data security and the loss of data were the two most cited areas of concern, and the respondents stated that applications deployed in containers had become more complex over the years. Which obviously points to an increase in the applications’ need for security.
Problem #2: Containers face a people problem
When it comes to actually securing applications, there’s another conundrum: most respondents (just over 30%) named the organization’s security team and the DevSecOps teams as the ones responsible for patching up vulnerabilities… but 47% of DevOps respondents said DevSecOps were responsible for looking into container security, while 54% of Security respondents named Security as the main owner. So there's clearly a lot of confusion about who should look into securing containers in an organisation (on the bright side, this trend is better than either team evading responsibility)... which means when something goes wrong, nobody really knows who should fix it.
Problem #3: Containers have changed the security paradigm
The growing almost mutating need for containers, has also ushered in the need for security in this tech to evolve as well. The problem here is 3-fold:
- Automation across SDLCs needs security checks at every point: Because containers keep all their dependencies contained, they can easily be shifted from a development environment to a test environment, and then a production environment. While this makes it easier for faster deployments, it also means that every part of the SDLC aso has to have security intact. One vulnerable link and the deployed application is open to an attack.
- Scaling containerised applications means deployed entities can mutate quickly according to the need. This means maintaining security for each component individually is almost impractical.
- Ain't nobody got time for that: When dealing with containers and an agile development cycle, developers have to make changes quicker than ever before — probably hours and days, not months. Including security into workflows could provide many advantages, but nobody has the time for it (unless it's absolutely necessary).
Because we’ve been in the business of helping organisations create and deploy secure applications, we’ve seen this ourselves. This also puts us in the position to propose a solution: holistic learning for both Security and DevSecOps teams.
The one silver bullet: Education
The way we see it there’s three ways to solve these issues via a holistic approach:
- Educating Developers about:
- How they can engineer secure containers
- The risks of container security
But education can be hard… right?
Obviously Developers, DevSecOps people and those working on Application Security all need different levels of education on how to treat these issues… which is why there is no comprehensive course that could be relevant for them all.
Moreover, topics such as these are learned most of the time, via hands-on experience… Which is why we decided to address these issues in separate courses designed to give you first-hand experience, not just theoretical knowledge.
Our courses have a number of added edges over those widely available, some of which include hands-on cyber ranges where you can explore the various attack possibilities and hence come up with defense strategies, a full fledged deployment of Container Registry and defenses, Container Security Engineering (both of which are rare), and the use of monitoring for containers with OSS tools like OSQuery.
The aim with our courses was to help attendees get trained in time-tested approaches to building, running and security testing container deployments, even on platforms like Kubernetes. We even have a Kubernetes Security Masterclass where attendees start with setting up a Kubernetes cluster, attack the cluster and learn to effectively secure Kubernetes clusters through multiple deep-dive examples and cookbooks!
If you’d like to take a look at our courses on containers no matter which level of learning you’re at, visit Container Security and Orchestration training we45 for yourself!