Shlomi Ben Haim, JFrog Co-Founder and CEO (Source JFrog)
By Contributing Author
Israel is experiencing a tech boom, despite COVID-19. Tech companies in the country are still advancing their software development processes with DevOps taking on greater roles.
According to Eyal Bino, entrepreneur contributor at Forbes, “Israel has moved over the past few years from Startup Nation to Scale-Up Nation. Now comes a new chapter to Israeli tech, one that includes new challenges but definitely lots of unique opportunities.”
One of the biggest challenges Israeli companies, and Israeli companies based in the U.S. face is cybersecurity. And among the top types of security software development teams need to focus on is container security, and other DevOps tools outlined by JFrog.
If you’re in DevOps, you probably remember the container platform hack of Kubernetes. It served as a call to action for DevOps teams and DevSecOps teams within enterprise companies.
The Kubernetes Container Security Hack Recap
Earlier this year Kubernetes was hacked, causing a misconfiguration making container files vulnerable. This allowed hackers to deploy cryptomining containers and emphasized the risk when clusters are sent to production stages.
All cybersecurity threats aside, make no mistake about how valuable Kubernetes is when it comes to automation, scalability, and distribution. And Kubernetes is not the only victim of cybercrime in 2020. Every company is at risk.
Staying Compliant With Industry Regulations — Especially HealthTech & FinTech
Most tech companies, or companies with tech ecosystems, have standard practices in place to ensure security of software and other digital assets are secure and up to the standards of regulatory and compliance. This same practice also needs to be implemented for container files and applications developed using containers.
For instance, regulations like GDPR and PCI are big time regulations and need to have transparency within the container ecosystem. Every container and all container communications with highly sensitive data needs to be secured. Do not simply rely on securing the base image of a container and call it a day.
But this is where it gets challenging. As containers grow, the ecosystem for that container can be in a number of places, or even cloud based. This is why scaling puts container security at risk. The security in place must be able to scale with the growth of the actual container environment.
DevOps teams within enterprise companies should do their due diligence and ensure the full pipeline and processes within that pipeline are under scrutiny for security measures. This scrutiny needs compliance and regulatory standards at the forefront.
Connecting The Dots Between Container Security And Legacy System Security
Container security and legacy system security share some commonalities. For example, they both have a high risk for runtime cyberattacks. This open port hack can be dangerous for software development and DevOps enterprise teams. SQL injection cyberattacks, Layered applications hacks, data breaches, and more threats are present.
Another point worth raising when it comes to container security is that container files via Kubernetes have a base layer that can make it challenging for legacy system security to identify network cyberattacks. This is due to containers encrypting multiple truths of some kind.
How Can You Decrease Container Security Risk Within Your Enterprise DevOps Environment?
There are steps you and your DevOps team can take to make container security a top priority. Remember, the Kubernetes hack was a warning. There are definitely more to come. So it is time to start ensuring scalable security best practices are in place.
First, have a native security plan that encompasses container files/images. Security integration needs to be quickly deployed, and have an ease of use for management within the DevOps team. Also think about the security measures needed when updates are implemented.
Second, Have security measures implemented into every single stage of the container development process. This means that security must be present for builds, ships, runs, and other key stages. Focus should also be placed on registry scanning, container firewall setup and management, CI/CD pipeline integration, and vulnerability analytics and mitigation.
Lastly, ensure that configurations of your container environment, whether you use Kubernetes or not, is secure and managed with cybersecurity in mind. CIS benchmark, role-based permissions, admission management, and more should also be a primary focus.
Build Better Software Development Container Security
There is no shortage of ways a hacker can infiltrate your company’s data and assets. Containers are certainly not immune, as seen in the case of Kubernetes. Tech-minded enterprise companies, or companies with a heavy tech environment should be aware of such threats. And mitigate risk accordingly. What’s your company’s container security strategy?