Open Source Market Segment LS
Open Source Market Segment RS
Wednesday, 19 June 2019 10:20

Containers pose security risks, but mitigation isn't tough: Lees

Peter Lees: "Container technology is really powerful and effective, especially when combined with the concept of micro-services and agile project methodology." Peter Lees: "Container technology is really powerful and effective, especially when combined with the concept of micro-services and agile project methodology." Sam Varghese

Recent concerns over the security offered by containers are not unjustified, the chief technologist for Germany-based SUSE in the Asia-Pacific says, adding however that there are a lot of operational things that could be done to mitigate the risk.

Peter Lees told iTWire in response to queries that the whole point of containers was to be able to get new functionality out quickly. "And in modern development that often means gluing together micro-services from many different sources, which in turn could mean that the ultimate source of those functions may not have been vetted," he said.

Container security was in the limelight in April when the credentials of some 190,000 account holders at Docker Hub, the official repository for Docker container images, were exposed due to "a brief moment of unauthorised access".

At the time, Lavi Lazarovitz, Security Research Team Lead at privileged account security firm CyberArk, said the breach could lead to a classic supply chain attack made possible, seemingly, by compromise of privileged tokens.

Lees pointed out that a 2017 paper had shown that up to 80% of the images on DockerHub contained a severe vulnerability. "So the 'quick and dirty' approach to development can end up introducing vulnerabilities into a system," he added.

SUSE, which developed a container-as-a-service offering back in 2017, has some standard processes which would help to mitigate risks when working with containers, Lees said.

He advised the following:

  • "use a private registry for 'vetted' containers so that you can be sure what’s inside the components that developers use (SUSE introduced the Portus project a few years ago to give enterprise-level security to the onsite Docker Registry);
  • "use an enterprise-supported OS as the base image for the container: that way you know someone is going to be working on security issues (sometimes before they are made public);
  • "have a process and tools to review and patch externally-sourced containers (openSUSE and SLE images can be patched with zypper-docker to bring them up to date: other systems require everything to be rebuilt from scratch)'
  • "compartmentalise applications within different Kubernetes clusters for different security tiers: don’t mix and match security and risk profiles within a single environment;
  • "avoid using privileged containers wherever possible: if the container runtime is essentially 'root', then any break-out from the container could potentially run as root. Never run unknown containers in privileged mode; and
  • "constrain what container runtimes can do by using the AppArmor security module or similar; this gives a higher level of auditing and defensive capability within the host node."

Said Lees: "So there’s a lot of operational things that can be done to mitigate the risk of using containers - just as is the case with non-containerised environments. The trick is to enforce these policies in the development environment while still maintaining the ability to make changes and updates at speed. There’s a paper from NIST which probably has one of the most comprehensive set of recommendations.

"Having said all that – container technology is really powerful and effective, especially when combined with the concept of micro-services and agile project methodology."

He said SUSE was retaining the focus on enterprise-class requirements for its software infrastructure layers, to try to make the right tools available in a supported way, and also to set sensible defaults for least-privilege.

"[In other words], creating the best operational experience for our Kubernetes distribution is one way we are trying to make managing all this easier," Lees added.

Read 2023 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News