Published: 28 August 2018
Summary
Containers and microservices architectures require DevSecOps, a protection strategy different from traditional VMs with monolithic applications. Technical professionals tasked with securing containers must harden the CI/CD pipeline so that everything that ran through it can be considered secure.
Included in Full Research
- CI/CD Pipeline Threat Vectors
- Threat Vector 1: Development System
- Threat Vector 2: Git-Based Repository
- Threat Vector 3: Retrieval of Dependencies
- Threat Vector 4: Image Registry
- Threat Vector 5: Unsecured Orchestrator Platform
- Threat Vector 6: Host-Container Relationship
- Threat Vector 7: Rapid Rate of Change
- Threat Vector 8: MSA Communication and Network Segregation
- Threat Vector 9: Interprocess Communication (IPC)
- Threat Vector 10: Increased Number of Databases
- Threat Vector 11: Application Layer Attacks
- How to Mitigate the Threat Vectors
- Foundational Controls
- Host Hardening
- Mandatory Access Controls
- Secure Computing Mode Profiles
- Secrets Management
- Basic Controls
- Software Composition Analysis
- Authorization Between Microservices and MSA Resilience
- API Gateways
- Risk-Based Controls
- Data-Centric Controls: DAP and FCAP
- Vulnerability Assessment
- Behavior-Based Controls
- Network Segmentation for Containers
- Architectural Considerations
- Strengths
- Weaknesses
- Make Security Pervasive in the CD/CD Pipeline
- Use Secrets Management and Software Composition Analysis as Your Primary Container Protection Strategies
- Add Layer 7 Network Segmentation for Operational Containers That Require Defense in Depth
- Require Vendors to Integrate With the Container Offerings of Leading Cloud Service Providers
- Representative Generalized Container Security Products
- Representative Container Network Security Products
- Open-Source Projects to Secure Containers