Rawpixel - Fotolia
Microservices and containers can simplify DevOps security
You would think that managing a sea of containers and microservices would make DevOps security difficult, but it may, in fact, make DevSecOps easier.
Does a microservices-based approach to software development in which services are deployed to Docker-like containers and orchestrated with technologies like Kubernetes and Swarm actually make DevOps security easier? Black Duck's Tim Mackey certainly thinks so, and he's willing to make that argument from a couple of different perspectives.
The first argument Mackey makes is that the way in which the container itself is built provides significant advantages that DevOps security-minded professionals will admire. The fact that containers are typically built with a bare-bones approach to providing functionality means there is far less of a vulnerability zone than one might encounter with a virtualized OS or even an Amazon Elastic Compute Cloud instance.
The other way in which cloud-native apps help with DevOps security is the manner in which the software components a user installs on a container and the low-level runtime files used by the container are logically separated. "Because Docker takes the user space and separates it from the kernel, I don't have any of the kernel components in there, so I've got something that's already smaller from an attack surface perspective," Mackey said.
And of course, the stateless nature of cloud-native applications means that containers can be taken offline and put back into service without losing any application state. And since containers themselves can be stopped and started relatively quickly, when a DevOps security issue does arise, a patch can be rolled out painlessly. "Because containers can spin up and spin down very quickly, if I need to patch them, I can very easily build a rolling upgrade that is minimally disruptive," Mackey said.
Tim MackeyBlack Duck Software
So, while a cloud-native approach to software development might make the software topology look a little more complicated, the reality is that the development of microservices and their deployment into lightweight containers may actually make the system more secure as a whole, which will come as a great relief to those who are mindful of DevOps security.
To learn more about DevOps security, Black Duck's Hub Software and how to ensure your open source software projects don't contain a hidden threat, listen to the accompanying podcast in which TheServerSide's Cameron McKenzie speaks with Black Duck's Tom Mackey.