Subscribe
About

Shift left needed to mitigate container risks

Frans de Waal, Prisma Cloud sales specialist, Palo Alto Networks.
Frans de Waal, Prisma Cloud sales specialist, Palo Alto Networks.

The use of containers is soaring, but with increased adoption has come increased exposure. To mitigate risk, organisations need to embed cloud native, container-specific security into their entire application development life cycle.

This is according to Palo Alto Networks cloud solutions specialists Frans de Waal and Gordon Bailey-McEwan, who were addressing a webinar on how to mitigate risk when using containers.

Explaining the value proposition for containers, de Waal, the Prisma Cloud sales specialist at Palo Alto Networks, said: “69% of organisations host more than half of their workloads in the cloud, and 61% have moved to the cloud to modernise applications. Initially they opted for lift and shift, but they quickly moved to modernise their environments using cloud native applications. Cloud native applications are containerised, dynamically managed and microservices-oriented.”

“With containers, if I need to make a change to a piece of the application, I don’t need to write the application anew or be concerned about interdependencies associated with a waterfall delivery approach. With cloud native applications, there has been a change in how applications are built and deployed, with DevOps to simplify and speed up the application lifecycle,” he said.

However, there were a number of challenges in this new environment, he said.

“Our studies and industry analysis have found the potential for exposure across the container build, deploy and run processes, as well as the environment and architecture.”

He said these risks include image vulnerabilities and configuration defects, embedded malware and clear text secrets, the use of untrusted images, insufficient authentication and authorisation restrictions, insecure connections to registries and stale images in registries, let alone the running environment.

In addition, vulnerabilities could exist within runtime applications, which could be exploited causing a large blast radius due to outbound network access from containers, insecure runtime configurations and permissions associated with the workloads.

Gordon Bailey-McEwan, Prisma Cloud solutions architect, Palo Alto Networks.
Gordon Bailey-McEwan, Prisma Cloud solutions architect, Palo Alto Networks.

The architecture also presents a large attack surface, with potential vulnerabilities in the shared kernel and host OS component, while improper user access rights and host OS file system tampering could pose risks to the organisation. Limiting the exposure of underlying services to various functions is important, he noted. “However beneficial any emerging architecture is, cloud native apps only add value if they're secured, meaning that all components of the vast container ecosystem you implement will need protection.”

“We have to consider security end to end across the building of the container, the environment around it, and the running of it,” he said. “It is important to use container-specific technology for secrets management and to identify configuration risks, compliance issues, malware and vulnerability status across the entire application life cycle.”

Code to cloud security

Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, demonstrated how Prisma Cloud secures cloud native applications from code to cloud.

With containerised applications, developers will tend to start off with a base image, then take their own custom code and build on top of that base layer. The important thing to do is to use some tooling to scan the application code for vulnerabilities,” he said. He showcased how a Prisma Cloud plug-in scans for vulnerabilities and misconfigurations, offering descriptions of the vulnerabilities and recommendations on remediating them.

Once a container image has been built and deployed into a Kubernetes cluster, Palo Alto can scan it again for vulnerabilities.

“The developer’s code doesn’t just live on his laptop, he tends to push it into a version control system. Prisms Cloud has the ability to scan this as well, with the same warnings,” Bailey-McEwan said.

“But even if we have scanned on the developer’s IDE, and a version control system like GitHub, the developer could ignore all the warnings. As they move into the deploy phase, we can actually scan container images and pick up vulnerabilities at various stages to prevent the application from being pushed out with vulnerabilities,” he said.

“In the runtime phase, Prisma Cloud will create rules for vulnerabilities and can block any containers spinning up in the environment with high or critical vulnerabilities. As soon as a container starts up in the environment, we go into a container modelling process, where Prisma Cloud creates a baseline for container behaviour and processes. This baseline can be leveraged to detect any anomalous behaviour and prevent or block it if necessary. In addition, if a container is running in the environment and a new CVE comes out, Palo Alto will proactively and virtually patch it.”

Organisations can request a trial of Prisma Cloud here: https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial

Share