- Static code analysis tools ensure software development security by evaluating source code, checking common errors, and standardizing coding standards.
- The server assessment tool checks the versions of the operating system and other components, scans for vulnerabilities and patch levels, and standardizes configuration standards to ensure the security of infrastructure operations.
Containers: new rules, new security processesthe container embeds all operating system components, required components, and related settings into the image. Once the image is built and transmitted (ship), no changes should be made. Containers in the running state cannot be configured, repaired, or replaced. The only way to modify the internal environment of an image is to create a new image. That is to say, the only place where the infrastructure security method can be applied is when the image is created. Because once the image is deployed, there is no room for change.
Attention should be paid to security issues.The security control embedded in the infrastructure has largely, or fundamentally changed the creation process. This method completely shifts the current security control process. You do not need to perform iterative evaluation, repair, and configuration adjustment until the development and integration processes are completed. Security control needs to be performed at the first time, that is, after the image is created, prior to further CI/CD (continuous integration and continuous delivery) processes. This is the real meaning of the sentence "move safety control to the front. In this process, all the elements of the infrastructure security policy need to be implemented, which is very important. In addition, there are some policies for container images:
- create an image based on a baseline image (Template)
- server software components can accept certain vulnerabilities.
- The server software component is the lowest version that meets the conditions. The configuration of the image operating system meets the organization standard.
- Image metadata includes required elements, user environment settings, and entry point settings.
It's time to update security controlsecurity organizations have been focusing on unauthorized changes for a long time. Redirect servers, manage privileged identities, manage logs, change windows, and analyze root causes to detect and prevent unauthorized changes to software components and their configurations. The internal and external continuous vulnerability assessment of the host is to measure the inevitable changes in the IT infrastructure in a timely manner. The implementation of the containerized environment seems unrealistic. It requires both dynamics and consistency. With containers, the host is no longer required because the host has no valid load or configuration meaning (except container engines). At the same time, it is no longer necessary to make changes to the running containers, because these changes will be overwritten when the container is orchestrated or recreated. In short, there is no need to make changes in the traditional sense in the future. Where changes are required, you only need to rebuild a new image to replace, add, or repair the containers that you want to modify to make them meet your expectations. If security control is introduced into this process and can operate effectively, what was previously thought impossible will be realized: More security applications have been fundamentally created, faster and more efficient than before.
Original link: Container Security and DevSecOps: The Old Rules No Longer Apply (translation: Ma Yuanzheng)
the original text was published: 2017-04-24
author: ma Yuanzheng
this article is from Dockerone.io, a partner of Yunqi community. For more information, see Dockerone.io.
Original title: container Security and DevSecOps: some old rules that are no longer applicable