How to Secure Containers, Applications, and Serverless Environments

This is the final post in our four-part series on security in the cloud. In part one, we discussed the AWS shared responsibility model; in part two, we discussed detecting, prioritizing, and remediating vulnerabilities in the cloud; and in part three, we explained how to handle misconfigurations in the cloud. In our final post, we’ll explain how to secure containers, applications, and serverless environments.

Securing containers in the cloud

Containers are not exclusively cloud-centric, but because they are often found in cloud environments, we decided it made sense to cover them as part of our series on cloud security. Since containers came onto the market, they have fundamentally changed the way organizations build, test, and deploy their applications. While they’re great for helping DevOps teams build and deliver applications in a fraction of the time, security and IT professionals are often not involved in decisions about if and how to use containers. And when they do stumble across them, security professionals inevitably wonder what level of risk they introduce and how the team can get better visibility. If the security team has no way to monitor and scan containers, how can they guarantee a certain level of security?

The good news is that you can get visibility with minimal impact on factors like speed of deployment that make containers so appealing to developers. To do this, you need the ability to identify containers in your environment, as well as assess container images for vulnerabilities during the build process (before they’re deployed).

You can connect your container repositories to a vulnerability risk management solution like InsightVM to maintain consistent visibility into every container and container configuration, allowing you to understand their level of risk. You can even integrate InsightVM with CI/CD tools like Jenkins to ensure vulnerable containers don’t get deployed. Furthermore, you can set a threshold to determine whether a build should be marked as failed, unstable, or passed based on your risk tolerance level.

Just because you secure containers before deployment doesn’t mean that they’ll remain secure once they’re running. Luckily, InsightVM enables you to discover and correlate deployed containers to assets, so you can then secure both containers and their hosts. InsightVM can also identify previously unknown containers and container hosts (rogue containers), so you’re never in the dark. Click here for more information on container security with InsightVM.

Another benefit to selecting a platform-agnostic container security solution like InsightVM is that it complements the portable nature of containers themselves. For many development teams, one of the most appealing features of containers is they can reduce or eliminate platform dependencies. Since containers are by definition self-contained, a containerized app can be quickly moved from one cloud provider to another or from cloud to on-prem. If portability is one of the reasons why your development team has chosen to use containers, you should make sure you select a container security solution that’s equally portable.

Securing Web Applications

In addition to identifying containers and assessing container images for vulnerabilities, you’ll also need to secure modern web applications that these containers are built for. InsightAppSec, Rapid7’s dynamic application security testing tool, can automatically crawl and assess modern web applications to identify vulnerabilities like SQL Injection, XSS, and CSRF.

Once vulnerabilities are detected, InsightAppSec provides rich technical detail and context for these, significantly speeding up remediation efforts. InsightAppSec also integrates with Atlassian Jira to give developers full visibility within their existing workflows. Even better, InsightAppSec’s Attack Replay feature lets developers validate vulnerabilities and test source code patches on their own.

Securing serverless environments

Over the past few years, organizations have started to transition from server-based to serverless environments. Rather than spinning up an instance and pushing out code to a service like EC2, you can simply deploy code to be run on a service like AWS Lambda without the hassle of creating and managing a server. However, just because it’s serverless doesn’t mean you aren’t required to take measures to ensure security.
While serverless takes care of things like patching, managing and configuring the OS, you are still responsible for managing access control (who can deploy code, who is an admin, etc.) and ensuring that your code doesn’t have vulnerabilities. As the Shared Responsibility Model states, anything you put onto services like Lambda is your responsibility to secure. You also need to know what level of security your cloud provider promises, as this can vary from vendor to vendor.

As we explain in this article, InsightAppSec is built to scan and test a web application during run time to ensure that, even if code is already live, you can detect and remediate issues. This is called DAST, or dynamic application security testing, which gives you the ability to see how the app behaves in a production environment so you can see how issues are actually impacting you. You can also leverage SAST (static application security testing) which takes place earlier in the software development lifecycle (SDLC) to detect error in the code itself (that is, if you know about serverless code in advance).

It’s also important to note that if you deploy code that has vulnerabilities, you’ll still have vulnerabilities in your application even if that code is deployed in a serverless environment. In other words, application-level vulnerabilities do not disappear when you go serverless. In fact, with serverless environments making it easier to deploy code, it becomes even more important to scan code in advance of a push because it can go live faster than ever.

Put simply, you need to know where your provider’s responsibility for security ends and where yours begins.

The more you see, the more you can protect

As you know, your risk exposure is constantly in flux, and the risks associated with containers and serverless are no exception. It’s important to view these risks alongside other risks from elsewhere in your organization so you can maintain visibility and stay on top of vulns.

A smart way to do this is to leverage the security features your cloud providers offer out of the box and integrate them with a cloud security solution that’s built for hybrid environments so you can see all your data in one unified place. More and more companies are moving away from point-based solutions and toward holistic ones so they can have full visibility, no matter where the risk lies.

Rapid7’s InsightVM and InsightAppSec are uniquely built to help IT, development, and security teams establish best-practice programs for monitoring and protecting container infrastructure that leave no blind spots. To learn more about Rapid7’s platform approach to container security, click here.

What other questions do you have about securing containers and serverless environments? Comment below or tag us on Twitter @Rapid7.