Container security policies
Container security policies are a group of software quality policies used by the Spectra Assure platform to help you improve the security of your container images.
These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, container security policies focus on preventing issues tied to container images that can make them more susceptible to attacks or security breaches if left unresolved. In this context, container security issues include exposed insecure ports, lack (or abundance) of defined instructions, and unnecessary administrative privileges in container image configuration files. Advanced users of Spectra Assure can adjust how each issue is treated and add their own exceptions to policy configuration files.
In the Spectra Assure SAFE report, these policy violations can be found in the Container Security issue category.
Software developers and DevOps engineers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect an issue in a container image, its exact location is highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
The Spectra Assure platform currently supports the following container image formats:
- Docker
- Open Container Initiative (OCI)
- Linux Containers (LXD)
Security challenges and practicesโ
Container images are immutable packages with all dependencies, configuration, metadata, and instructions needed for an application to run. Containers are runnable instances of container images that can be started on local machines, virtual machines, or deployed in the cloud. They contain all dependencies of an application, which allows you to deploy your software in any environment. This also makes applications run more quickly, as they contain everything they need, including the access to the host system's kernel. Containers are isolated both from the system and other containers, so they don't interfere with each other. Due to this, they're convenient for securely running any software that needs access to sensitive information without granting access rights to all users on the system.
However, container images often contain third-party code and open-source dependencies, which can carry vulnerabilities later inherited by these images and containers deployed from them. Every configuration instruction in a container image makes up its separate layer. Each of these layers is a distinct attack surface that can conceal possible security issues or misconfigurations.
The use of containers has significantly increased in recent years due to their convenience, speed, and reliability across various environments. This in turn increases the need for organizations to implement the appropriate container security measures as an essential part of their cybersecurity strategy. Container security measures are expected to be fully automated and included into all stages of SDLC due to the complexity and ephemeral nature of containers, as well as their dynamic deployments and scaling. This helps detect and remediate security issues before a containerized application is deployed.
To ensure that your containers are safe to run and distribute, adopt some of the following container security best practices:
- Secure your container images by removing unnecessary components. The attack surface can also be reduced by using only base images from trusted sources and repeatedly scanning them. Avoid granting root access to containers and instead create a user profile for each container with specific permissions.
- Secure your container infrastructure by segmenting your network to isolate containers carrying sensitive data. It is also crucial to expose only those ports that are safe and required for the containerized application to use.
- Make sure your secrets, such as database credentials or SSL/encryption/API keys, are not stored directly inside your containers. Instead, store them in a secret management tool that will encrypt them and pass them to a container at its runtime.
- Secure the target environment by hardening the underlying (host) operating system and limiting the number of accounts with administrative access to container resources.
- If your company maintains its own container registry, make sure to frequently manage access to it. Images stored there need to be signed to protect them from tampering. They should also be regularly scanned to detect any potential vulnerabilities or outdated components that could be exploited.
Container security policies can help you improve your organization's security posture and protect it from any potential threats. This way, your customers are confident that their data is kept safe, which in turn strengthens the reputation of your organization.
Policies in this categoryโ
Container security policies cover the following:
- user privilege and file permission issues
- insecure network access protocols
- Dockerfile instructions issues
Show/hide all policies
- SQ40101 - Detected container images configured to run with administrative privileges.
- SQ40102 - Detected container images that contain files with setuid or setgid permissions.
- SQ40103 - Detected container images that might expose the FTP port.
- SQ40104 - Detected container images that might expose the SSH port.
- SQ40105 - Detected container images that might expose the Telnet port.
- SQ40106 - Detected container images that might expose the rlogin port.
- SQ40107 - Detected container images that might expose the Remote Shell (rsh) port.
- SQ40108 - Detected container images that might expose the Microsoft Terminal Server (RDP) port.
- SQ41101 - Detected container images that lack HEALTHCHECK instructions.
- SQ41102 - Detected container images that use ADD instructions.
- SQ41103 - Detected container images that use CMD instructions in shell form.
- SQ41104 - Detected container images with multiple CMD instructions.
- SQ41105 - Detected container images with multiple ENTRYPOINT instructions.
- SQ41106 - Detected container images with COPY commands to relative path target without the WORKDIR set.
Recommended for youโ
- 7 best practices for modern container security (ReversingLabs blog)
- The state of container security: Teams and tools are key to releasing software confidently (ReversingLabs blog)
- Docker Security [External resource - Docker]
- Docker Security Cheat Sheet [External resource - OWASP Cheat Sheet Series]