Layered Security Strategies: Implementing Defense in Depth for Containerized Applications

Containers are great they let you "Build Once Run Anywhere" and lets you create the Isolated environments that lets gives freedom to developers to choose their programming languages.  No more worrying about different versions of libraries for different products and its great for deploying micro services. 

Containerization is also that involves Developers , DevOps , Security and your Platform team. I am outlining some of the high level items with respect to securing them . 

Reduce Attack Surface

Choose your base images carefully and install only the required libraries and packages , better option is go to with Distroless images that has only has the application and the runtime dependencies .

Smaller image inherently improves security by reducing the attack surface and increasing security . It can also increase performance by increasing the download speed and reduces the cost .  Main disadvantage is it will require a multistage build e.g , Go application will have a first stage build that will have a go compiler and all the dependencies and second stage that will package the executable with the required runtime packages

Image Scan

Scan your images for Vulnerabilities . You can either do them as part 

of your 

• Build process
• CICD pipeline 
• Registry scan ( if you have your own Registry ) 

Scanning for Vulnerability is a good security practice and will also be part of your compliance depending on your industry. 

SBOM

Provides visibility to all the software components and libraries that are part of your container image . It will help identify Vulnerabilities and Patch them quickly . Note : Vulnerabilities can be reported later than your original scan and SBOM can be valuable in this aspect .It's can be a good Asset Management tool . Its a mandate that all organizations that sell software to U.S. Federal Government are required to provide a Software Bill of Material (SBOM) as part of Supply Chain Security ( as of June 2023) 

No Root 

Running containers as root increases possibility of  Vulnerability exploitation potentially allowing attackers to escape the container and compromise the host. It also violates the Principle of Least Privilege.  Docker uses dedicated appuser and appgroups . Kubernetes always make sure the following are set as part of your Security Context

runAsNonRoot: true 

allowPrivilegeEscalation: false

Privilege Escalation is one of the major ways that Vulnerabilities in the container are exploited . Here is a good example of a Vulnerability reported in 2022  https://nvd.nist.gov/vuln/detail/CVE-2022-0492

Keep your Secrets Secret

Don't put your passwords or sensitive information in Environmental Variables , Source Code or Docker file . Use Docker secrets , Hashi Corp Vault or your Cloud Providers key management services . Always ensure that secrets are encrypted at rest and in transit . Use role based access control and grant access on need to know basis . 

Networking

Avoid exposing services directly to the internet when possible .Implement mutual TLS encryption between services , almost all service mesh options with Kubernetes support mTLS.  TLS Termination  - Check your Ingress controllers for proper TLS termination for incoming traffic

Remember there is nothing like a perfect or ideal setup and a no-risk environment .with respect to Securing your containers you can "Do more with less" by just following these practices . 

Understanding SBOM: Is the Software Bill of Materials a New Concept?

I was listening to the Cloud security Podcast in my car. My daughter was in the car and I was explaining about the Bill Of Materials . It struck me that we have Bill Of Materials for the Car that helps the manufactures and consumers . Why was it so hard for the Software Applications to do the same ?

BOM : In car assembly, various components from different suppliers are brought together to create a finished vehicle. Each component, such as the engine, transmission, brakes, and electrical systems, comes from different manufacturers and may have their own supply chains. Without proper documentation and tracking, it can be challenging to have visibility into the origins, specifications, and potential issues of these components.

SBOM : Leverages the same capabilities for any Software component . SBOM would provide a comprehensive inventory of the software components used. It would also include information on the dependencies and versions of third-party software libraries and frameworks used.

Supply Chain Management and Risk : Automotive manufacturers today has good visibility on the supply chain. They can identify the components used, their sources, and their versions. This enables them to ensure the quality when building the car. When there are issues with the supply chain , they can find out risk associated with them and find alternatives for those components. SBOM has address the similar issues with the dependent software and the risk associated with them .

Vulnerability Management - Build Cycle : Manufacturers can monitor security advisories and updates related to the components listed in the BOM. 

Similarly SBOM provides visibility into the software components and their dependencies, which helps in identifying known vulnerabilities.Software owner can find vulnerability on all the dependent software , the can quickly assess which software are affected and find the libraries that needs to be updated. This can be integrated to the software build process cycle so that the Vulnerabilities are not introduced initially . 

Vulnerability Management - Post Build  : When a software vulnerability or issue is identified, an SBOM allows for targeted and efficient component replacement. Car industry today can pinpoint the specific components that need to be updated or replaced when there is a recall.Similarly Vulnerability Management can quickly find the exact software that needs to be fixed patched based on new Vulnerability identified 

Compliance and Auditing: An SBOM also helps in meeting regulatory requirements and facilitating audits. It provides a transparent record of the software components used, making it easier to demonstrate compliance with industry standards and regulations. In case of an audit or investigation, the SBOM serves as a documented proof of the software supply chain and its compliance.

Lifecycle Management: Throughout the lifecycle of a car, software updates and improvements are released. An SBOM aids in managing these updates by providing a clear picture of the software components and their versions. It ensures that the correct updates are applied to the specific components in the car, promoting performance improvements, bug fixes, and security enhancements.

Enforcement is required as it's effective only if the dependent software also follows SBOM. 

Presidential Action on SBOM : 

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/