Micha Hernandez van Leuffen, founder and CEO of software company Wercker, gives an overview of how containerised software development affects application security.
It seems like every month brings with it a new high-profile hacking. Take Buzzfeed, whose database was hacked in October by OurMine, a group that has previously hacked the servers of Pokemon Go as well as Mark Zuckerberg and Sundar Pichai. Hacking isn’t the only problem dogging today’s developers: as software becomes ever-increasingly complex, with arrays of interdependencies across various databases and cloud service providers, catastrophic software failure has become an increasingly common occurrence. For example, January 2016 saw high profile glitches hit both Nest and HSBC, resulting in widespread loss of service. For understandable reasons, application security has moved higher up the agenda for today’s developers and enterprise IT decision makers. While containers are currently all the rage, many are questioning their underlying security. So what exactly do containers mean for software security?
Containers: a crash course
For the uninitiated, software containers are a method of software abstraction for developers. Software abstraction provides developers with more horsepower and flexibility. Decades ago, developers were working with ‘bare metal’ – that is, servers purchased from vendors such as Dell and stacked or colocated in a datacenter. Clearly this limited capacity, so developers started using virtual machines.
Virtual machines (VMs) allow developers to abstract away the underlying hardware by utilising software, called a hypervisor, that emulates hardware capabilities such as CPU, storage, memory and networking, allowing more software tasks to be run simultaneously on multiple VMs per physical machine. Think of containers as lightweight versions of virtual machines: but instead of a hypervisor, the virtualisation is done through the underlying operating system, allowing for their fast creation and enabling developers to fit more of them on a single server (often a virtual machine).
Enterprise applications are developed within a monolithic software paradigm, meaning that tasks such as authentication, error handling and the user interface are all interwoven and interdependent of each other. Containers are the opposite, encouraging developers to compartmentalise their applications into modular components, called microservices, that can be removed and replaced without affecting the overall application.
This represents a very important step forwards in application development security: for too long developers finding and neutralising bugs in complex applications have had to pick apart intricately interdependent software elements, where small changes to one section of code can have vast consequences in other areas.
With containers, this problem is greatly simplified: infected or problematic code can be identified and isolated quicker, as the code is already split into self-contained, self-sufficient components. This view is echoed by Gartner analyst Joerg Fritsch, who, in a recently published paper, concluded that “applications deployed in containers are more secure than applications deployed on the bare OS… They greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”.
By their very nature containers are easily replaceable, due to their being self-contained and encapsulated. This means that, should a container become infected or fail, it can easily be removed from the application, modified and then reinserted with minimal downtime. In essence, containers allow for immutable deployments.
Caution
Containers are not a silver bullet: like any other method of software development, developers have to use them with their eyes open, and keep working to the same software security best practices they always have. Container-based software development can potentially introduce bugs or malware to your application if you use containers sourced from open repositories on sites such as GitHub. Well-trained developers won’t find this surprising: any software component downloaded from an unknown source should be treated with caution and scanned for malware.
There are a variety of tools springing up which aim to expedite this scanning process: this year CoreOS announced the first full release of their Clair container image security analyser, meanwhile earlier in October 2016 Anchore, a startup which says that it can ensure software containers are safe, announced it had secured $5 million in seed funding.
In balance, software containers bring security to applications more than they compromise it. Ultimately, a container-centric approach to software development enables developers to update vulnerabilities faster, resulting in a more faster and more secure experience for consumers as well as developers.
