Containers and microservices complicate cloud-native security

As microservices-based applications are deployed to a sea of Docker containers, mitigating against cloud-native security issues is becoming a struggle.

There's not much new in the world of malicious hackers raiding online software. Most attacks follow the same basic approach, and software developers are leaving their applications open to being blindsided in the most benign and boring of ways. Developing applications with microservices and containers may be a modern approach to software design, but traditional software flaws still remain a problem when addressing cloud-native security.

Social engineering and phishing scams are perhaps the most common way security systems are breached and private data is pilfered. If a user inadvertently gives away his username and password, the only recourse is to change the password or shut down the user account. From that perspective, there's not much the software engineer can do.

Prioritizing cloud-native security

But not every data breach can be blamed on an end user, which is why developers must be vigilant when it comes to cloud-native security. According to Matt Rose, global director of application security strategy at Checkmarx, it's commonplace for his software company's static code analysis tools to identify places where input isn't properly validated -- making SQL injection a very plausible threat -- administrative passwords are exposed in plain text, opportunities exist for buffer overruns and private user information is inadvertently written to the file system.

Software development teams are normally pretty good at tackling what they might consider severe threats or critical bugs, but sometimes, it's the less severe bugs that can create the biggest problems, especially when an attacker can stack them on top of each other.

The complexity of the application is a major challenge to any development staff.
Matt RoseGlobal director of application security strategy, Checkmarx

The reality is that, in this age of DevOps and cloud-native development, the software stack is more complex than ever, and when code is distrusted across a multitude of microservices and layered upon multiple virtual machines (VMs) and Docker containers, security holes can be difficult to identify. "The complexity of the application is a major challenge to any development staff," Rose said. "Once code is in production, hackers have an unlimited amount of time and resources to think about a way to leverage something a developer only had perhaps a week to program. You can be very versed in security and still miss things."

Securing containers and microservices

Of course, it's not all downside when it comes to securing a microservices-laden application and a Docker-heavy software stack. The reality is that a minimally built container can be far more secure than a full-blown VM, and when issues are identified, container orchestration tools are making it easier than ever to enforce cloud-native security by rolling out updates to each Docker instance.

"The way that containerization has progressed is it's taken the whole cloud templating model and said, 'Let's have a golden master for a container, and that container itself should have just enough of an operating environment to actually be useful,'" said Tim Mackey of Black Duck Software. And since Docker separates the user space upon which installed software runs from the kernel, the attack surface is much smaller when compared to VMs or applications running on bare metal.

And when problems do occur with software hosted by a container -- or even the container itself -- implementing a cloud-native security fix isn't as cumbersome as one might think. "Because these containers can spin up very quickly -- and by extension, spin down very quickly," Mackey said, "if I need to patch them, then I can very easily build a rolling upgrade that is minimally disruptive."

As containers and microservices dominate the world of DevOps, software developers must remain diligent, which means both writing robust code that meets basic security standards, while, at the same time, addressing problems when they arise and implementing bug fixes for even the least critical issues. And when problems do occur, rolling out a cloud-native security update across a sea of containers and microservices will be a relatively pain-free process.

Next Steps

Cloud-native developers must avoid these common security issues

Transitioning to cloud-native development? This cloud-native handbook will help guide your way

Dig Deeper on DevOps-driven, cloud-native app development