In this two-part series, we explain why container scanning is a critical part of cyber security for web developers. Here, we explain what a container is, why it is useful, and how it poses risk to your company.
Has your small- to mid-size business implemented a cyber risk management program? If so, you are in the minority, since only 4 in 10 have done so. Further, 20% of you do not use endpoint security, and 52% do not have any IT security experts in-house.
Here’s an important follow-up question: Do your cyber security practices include container scanning?
Containers are not physical spaces, but standardized units of software that combine two things: (1) your application source code with the operating system libraries and (2) the dependencies required to run that code in any environment. Containers make distributed applications easier to manage as organizations shift and adopt cloud-native development models and multi-cloud production environments.
Containers are part of the microservice architecture that splits your application into multiple services that perform specific functions and work together to be a part of your application as a whole. Each microservice carries out a different logical function for your application. Think of them as the bits and pieces of an application that work together to accomplish the overall goal.
Containers are quick and easy to deploy, they are scalable, and developers can deploy as many as they want as part of the microservice architecture.
These two containers dominate the industry:
Docker. Docker is an open-source containerization platform that makes it easier, simpler, and safer to build, deploy and operate containers. Docker is essentially a toolkit that enables developers to build and run their containers using simple commands through a single API/interface.
Kubernetes. Kubernetes makes it easy to deploy and manage containers at scale. Developed by Google, Kubernetes is an open-source container orchestration platform designed to automate the deployment, scaling, and management of docker containers. The Cloud Native Computing Foundation (CNCF) has established that Kubernetes is the de facto standard for container orchestration.
Beware: Open Source Can Mean Open to Risk
With the speed and velocity of modern development, developers rarely write all their code from scratch. Millions of developers have already created and shared components of what developers need to use in their code. And those developers make these basic components available free through the open-source community. Developers lean on the use of open-source packages, files, executables, libraries, and so forth as the base of their applications.
Developers then layer on their own software and package it all together to create a container. (You are no doubt starting to see why it’s so critical to scan a container that holds both your own programming and elements coming from outside your organization.)
The open-source community is collaborative, with developers from all over the world pushing updates to the open-source software community to address bugs, express security concerns, and suggest other improvements. Staying at least one step ahead of those updates as well as new software is critical.
In Part 2, we advocate promoting a “shift-left” mindset in which developers make a habit of scanning containers earlier and more often.