Sponsored by

AVOIDING CONTAINER VULNERABILITIES

Seven experts discuss potential risks associated with containers and how to address those risks.
INTRODUCTION
Containers offer an unprecedented opportunity to scale cloud-based services,
make incremental changes without disrupting larger processes, and rapidly
Mighty Guides make you stronger.
respond to changing operational requirements. They also introduce a new
uncertainty into the cloud-security picture. Containers and their use are These authoritative and diverse
still evolving and maturing. To get a better understanding of potential risks guides provide a full view of a topic.
associated with containers and how best to address those risks, we asked the They help you explore, compare, and
security experts the following question: contrast a variety of viewpoints so
that you can determine what will
What vulnerabilities do containers create, and how do you protect against work best for you. Reading a Mighty
them? Guide is kind of like having your own
team of experts. Each heartfelt and
sincere piece of advice in this guide
sits right next to the contributor’s
name, biography, and links so that you
can learn more about their work. This
background information gives you
the proper context for each expert’s
independent perspective.

Credible advice from top experts helps

you make strong decisions. Strong
decisions make you mighty.

© 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I

516-360-2622 I www.mightyguides.com

2
FOREWORD
Containers and Orchestration Create New Vulnerabilities
Lacework is a SaaS platform that
Over the last few years we have seen a dramatic rise in the use of containers and
automates threat defense, intrusion
container orchestration systems for the coordination and management of cloud detection, and compliance for cloud
services. Among other things, containers allow for rapid deployment, ephemeral workloads & containers. Lacework
workloads, and autoscaling of applications at scale. For organizations that work monitors all your critical assets in
in an agile way and deploy services continuously, it’s an enormously popular piece the cloud and automatically detects
of their infrastructure. Popular types of containers include: Kubernetes, Docker threats and anomalous activity so
Swarm, OpenShift, and Mesosphere. you can take action before your
company is at risk. The result?
Containers are a new and important component of modern environments, but Deeper security visibility and greater
threat defense for your critical cloud
as they still have to live in a shared host and cloud account facing similar threat
workloads, containers, and IaaS
vectors, their security cannot be treated in isolation. Lacework provides a holistic
accounts. Based in Mountain View,
approach to container security as it supports this natively, while at the same time California, Lacework is a privately
provides security for hosts and AWS accounts which if compromised can cause held company funded by Sutter Hill
even larger scale damage to any container environment. Ventures, Liberty Global Ventures,
Spike Ventures, the Webb Investment
Many organizations rely on containers to help them orchestrate among Network (WIN), and AME Cloud
applications and data sources, and as this approach grows, security teams are Ventures. Find out more at www.
discovering a corresponding increase in their overall threat surface. The people lacework.com.
interviewed in this book offer insightful proof that while containers provide
distinct advantages for workloads and applications, they also require focused,
automated security to remain safe.

Regards,
Dan Hubbard
Chief Product Officer

3
Get actionable recommendations on how to improve
your security and compliance posture for your AWS,
Azure, GCP, and private cloud environments.

Streamline security for AWS, Azure, 
and GCP.  Gain unmatched visibility, 
ensure compliance, and enable 
actionable threat intelligence.

FREE ASSESSMENT

© 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All 
other marks mentioned herein may be trademarks of their respective companies. Lacework 
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
4
TABLE OF CONTENTS

Ross Young, Mauro Loda,

Director Senior Security Architect
Capital One........................................................
06 McKesson..........................................................
11

Paul Dackiewicz, James P. Courtney,

Lead Security Consulting Engineer Certified Chief Information
Advanced Network Security Officer
Management (ANM).....................................
08 Courtney Consultants, LLC.........................
12

Kathrine Riley,
Director of Information Security Milinda Rambel Stone,
& Compliance Vice President & CISO
Braintrace..........................................................
09 Provation Medical..........................................
13

Darrell Shack
Cloud Engineer
Cox Automotive Inc.......................................
10

5

Ross Young, Director,
Capital One
Ross Young is a veteran
technologist, innovation expert,
and transformational leader, having
learned DevSecOps, IT infrastructure,
and cybersecurity from a young
age from both ninjas and pirates.
Young currently teaches master-level
classes in cybersecurity at Johns
Hopkins University and is a director of
information security at Capital One.
“CONTAINERS RUNNING SER-
VICES OR APPLICATIONS ARE
OFTEN OVERPRIVILEGED FOR THE
FUNCTIONS THEY PERFORM.”
There’s a lot to like about containers, but also a lot not to like from
a security perspective. For one thing, they make the environment
considerably more complex, which introduces potential vulnerabilities.
For example, let’s say you have a normal Amazon EC2 server running
something like a Linux-based operating system. Then you have to install
a Docker engine on top of that. Now you have two types of vulnerabilities,
one being whether you keep your host operating system (OS) patched
and up to date, and the other is whether you configured your Docker
engine correctly. Then if you install two applications as containers,
the challenge becomes how you check to see if things are operating
as they should. Historically one might look at network traffic from one
EC2 instance to another. But in this simple example, there's no network
traffic leaving that EC2 instance. You need better tools capable of inter-
container monitoring of activity within one EC2 instance, and more inter-
container access control and authentication.
6
Another problem is that containers running services or applications are often overprivileged for the
functions they perform. For instance, they are often set up with admin privileges for an application that
doesn’t require those privileges. That means they now have the ability to see everything in the host OS,
and also see other containers that are on that same EC2, including data. Solving this requires tools that
run the service with the least privileges it needs so that it can’t break out of its container and get to the
host OS.

Another best practice that has started to evolve is using very small containers with minimum necessary
privileges, and making them read-only containers so they can’t be changed. If you get hacked, the
container still runs as intended.

Ultimately, developers need to incorporate security to the point where they create security policy as code.
This involves using tools that do security scanning during development and give developers instant
feedback about vulnerabilities. n

7

Paul Dackiewicz, Lead Security
Consulting Engineer, Advanced Network
Management (ANM)
Paul Dackiewicz has over 10 years of systems
engineering and cybersecurity experience in
the fields of healthcare, government, and value-
added resellers (VARs). He is currently leading
the security operations center (SOC) for a premier
managed security services provider (MSSP).
“MANY PEOPLE DON’T REALIZE
THE POTENTIAL FOR HAVING
A SINGLE POINT OF FAILURE
WITH MULTIPLE CONTAINERS
GOING DOWN.”
The easier it is to deploy code or apps, the greater the potential for
propagating vulnerabilities. You need to manage these processes carefully
and not get too comfortable with how easy it is to deploy and scale apps.
Containers themselves are pretty secure. However, many people don’t
realize the potential for having a single point of failure with multiple
containers going down, for instance if a host server is lost. The impact
of this kind of event depends on a number of factors, including how the
original environment is configured for density.
Securing an environment requires a layered approach that involves having
security appliances at each step of the way, whether it’s a layer-three device,
the endpoint itself, and how you authenticate into a system. The most
important part of container security is access control. Once something has
access to a system, there may be controls to detect behavior, and someone
who is already in a system may approach very cautiously to avoid detection.
It all comes back to appropriate access control. n
8
“SEGREGATION OF DUTIES, AND
SEGREGATION OF ACCESS…KEEPS
YOUR PRODUCTION CONTAINER
LOGICALLY SEPARATED FROM ITS
DEVELOPMENT AND TEST STATES.” Katherine Riley, Director of
Information Security & Compliance,
Container security begins with enforcing roles and responsibilities during Braintrace
development, testing, and production. Ideally you will have segregation of
duties and segregation of access, which keeps your production container Katherine (Kate) Riley is skilled in leading
logically separated from its development and test states. Defining roles teams to define cloud architecture, and
in development of controls. She has
and responsibilities, and turning those on and off, determines who or what
developed and implemented security
process can promote a container from development to test, and from test
frameworks such as ISO and NIST, and
to production. These definitions become an integral part of your change- performed compliance reviews such as
management process. n FFIEC, HIPAA, HITRUST, SOX, GDPR, and
GLBA.

9
“IT IS VERY IMPORTANT WHEN
YOU ARE PULLING CONTAINER
IMAGES TO DRIVE A PROCESS,
THAT YOU VERIFY THE AUTHEN-
TICITY OF THOSE IMAGES.” Darrell Shack , Cloud Engineer,
Cox Automotive Inc.
One potential vulnerability with containers is that if one container is
infected, that compromise can spread to the host. That’s because, unlike Darrell Shack is a seasoned system
segmented environments where different applications can run on different engineer focused on building resilient
and high--availability solutions. He has
operating systems, container environments typically run all the containers
experience in developing solutions in the
on top of one operating system, and the containers take their functionality
public cloud Amazon Web Services, helping
from that operating system. teams manage their cost, and overall
application performance in the cloud.
This is why it is very important, when you are pulling container images to
drive a process, that you verify the authenticity of those images. You need
to verify the sources and make sure you are using a known, secure URL.

Cloud-platform functions can help enforce the verification of images.

For example, Amazon Web Services has an auto-scaling feature that
monitors container activity. If a container is reaching capacity, AWS will
automatically spin up an identical container to take on some of the load. If
there is a reduction in load, AWS automatically destroys that container. The
system will send notifications of these actions, which can be monitored
on a dashboard. That’s important in environments hosting high-volume
computing activity. n

10
“THE BIG CHALLENGE IN A MAS-
SIVELY SCALED CONTAINER EN-
VIRONMENT IS THE NEED TO CON-
TINUOUSLY SCAN AND MONITOR
FOR NONCOMPLIANT IMAGES…” Mauro Loda, Senior Security
Architect, McKesson
Containers have many advantages, but the way containers sit on a common
OS kernel creates a situation where compromising one single container can Mauro Loda is a passionate, data-
provide access to the OS kernel and all other containers associated with it. driven cybersecurity professional who
This requires continuous monitoring, and it requires a different approach helped define and drive the “Cloud First”
strategy and culture within a Fortune 100
to patch management. In a traditional environment, you patch all the
multinational enterprise. He is a strong
time. However in a container environment, you do not continuously patch
believer in offensive security and simple-
containers. When a vulnerability becomes known, you immediately update but-effective architecture-defense topology.
the container image and deploy completely new containers. This changes Emotional intelligence, pragmatism and
your entire approach to patch management. reliability are his guiding principles. He has
achieved numerous industry certifications
The big challenge in a massively scaled container environment is the and actively participates in forums,
need to continuously scan and monitor for noncompliant images, and technology councils, and committees.
authenticate images across different container platforms. Tools used to
monitor container activity need to be adaptable to different situations
at any point and time. A container that is streaming an application right
now may not be in 10 seconds. The tools need to be intelligent, perhaps
artificial intelligence (AI) driven. Everything is pattern based, behavior
based, and risk based. The tools need to be able to protect you in a way
that dynamically adapts to the current state of your constantly changing
environment. n
11

James P. Courtney, Certified Chief
Information Security Officer, Courtney
Consultants, LLC
James Courtney is a recognized cybersecurity
professional who has spoken at multiple
conferences, including the CyberMaryland
Conference. He is a Certified Chief Information
Security Officer (one of 1,172 in the world), serving as
the IT network and operations security manager for a
private SIP consulting firm in McLean, Virginia.
“ANOTHER CHALLENGE FOR
CONTAINERIZED ARCHITECTURES
IS THAT THEY MAKE FORENSICS
DIFFICULT.”
The biggest security concern when using containers is that they come out of
a centralized distribution area. This means if one file gets infected, that can
affect everything in the environment. The big challenge for environments that
use containers is how you minimize the risk of that centralized architecture.
Another challenge for containerized architectures is that they make forensics
difficult. In an environment that instantly spins up a machine to provide
on-demand services and then eliminates that container when it is no longer
needed, if the container is compromised, what did it do while it was up? For
instance, if something jumped from a computer to an image and then got
access from that image to another server before the image spun down, the
image is now gone but the damage is already done. Even if you have good
monitoring tools that triggered an alert on a machine that is now gone, you
no longer have access. The bad guys, depending on what kind of access
they get, can erase logs and do other things to cover their tracks. From a
forensics point of view, once you’ve discovered you’ve been breached, the
way containers work can make it very difficult to go back and trace the
steps of an attack. If you have a large enough budget, you may be able to log
everything, but that may not be feasible in a massively scaled environment.
Addressing these challenges will fall on the way containerized environments
are architected and built. Most developers are not taught and do not think
about security first. They think application first and making it work. n
12
“THE REAL ISSUE IS WHETHER
YOU HAVE A DISCIPLINE IN
PLACE TO ENSURE SECURE
USE OF CONTAINERS.”
It’s not that the container creates the vulnerability. The real issue is whether
you have a discipline in place to ensure secure use of containers. If you’re Milinda Rambel Stone, Vice
simply creating containers without monitoring and measuring, then you President & CISO, Provation Medical
don’t have a consistent process. Your vulnerabilities will be replicated
Milinda Rambel Stone is an executive
across your stacks because you don’t have disciplined engineering hygiene,
security leader with extensive experience
and if that’s the case, things can go downhill fast. You have to focus on
in building and leading security programs,
making sure those containers are consistent and that they’re healthy. specializing in information-security
governance, incident investigation
One trend we’re seeing in the industry is this concept of cloud security.
and response, cloud security, security
It’s a new discipline between the old-school definition of what security
awareness, and risk-management
was and the concept of cloud, and there’s a shared level of skill between compliance. As a former software engineer,
the cloud team and the security team. That’s where you can build a Stone has passion and experience in
disciplined process across the two teams that works much better in the building cloud security and DevSecOps
cloud than the old-school model of security. environments. She currently practices this
at Provation, where she is the vice president
Part of the challenge is you are dealing with such a dynamic environment.
and chief information security officer (CISO).
What worked for you yesterday or even four hours ago might not work
for you today or tomorrow. You have to be continually paying attention
to potential new threats and risks. You need third-party assessments
to validate the assumptions you’re making, whether they are accurate,
and if you are taking the right steps to mitigate them. You need to
take an engineering approach, and in this environment, if you’re
running processes manually, you’re going to miss many things. It’s an
environment where everything must be automated. n
13
KEY POINTS
If you’re just creating containers without monitoring and measuring, then you don’t have a consistent process. Your
vulnerabilities will get replicated across your stacks because you don’t have disciplined engineering hygiene, and if that’s the
case, things can go bad fast.

The big challenge in a massively scaled container environment is the need to scan and monitor continuously for
noncompliant images, and authenticate images across different container platforms. Tools used to monitor container activity
need to be adaptable to different situations at any point and time.

Ultimately, developers need to incorporate security to the point where they create security policy as code. This involves using
tools that do security scanning during development and give developers instant feedback about vulnerabilities.

14
Interested in more? Try Lacework
for free and validate the security 
of your cloud:

TRY FOR FREE

Streamline security for AWS, Azure, 
and GCP.  Gain unmatched visibility, 
ensure compliance, and enable 
actionable threat intelligence.

© 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All 
other marks mentioned herein may be trademarks of their respective companies. Lacework 
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
15