The Cloud Native Computing Foundation reported that over 92% of firms are using containers in production in 2020, up from 23% in 2016. The need to innovate faster and shift to cloud-native application architectures isn’t just driving complexity, it’s creating significant vulnerability blind spots.
Oracle has a new Oracle Cloud Guard detector for container image scanning. Customers can set the risk level for container images in the new Cloud Guard detector. The image findings are collected by the detector and then will become a container image ‘problem’ in Cloud Guard. This additional feature is great for the users that normally do not use the VSS or OCIR consoles to check the status of their container images. Cloud Guard will alert users when VSS detects container images with high risk vulnerabilities so that everyone will know that a development team needs to address the issues quickly.
Container security is the process of implementing tools and policies to ensure that container infrastructure, apps, and other container components are protected. Linux containers allow both developers and IT operations to create a portable, lightweight, and self-sufficient environment for every application. However, securing containerized environments is a significant concern for Dev/Sec/Ops teams.
Unfortunately, container security is much more difficult to achieve than security for more traditional compute platforms, such as virtual machines or bare metal hosts.
A container is a standalone file or package of software files with everything you need to run an application. The application’s code, dependencies, library, runtime, and system tools are all “contained” within the container. As a result, containers have made the process of developing an application faster, simpler, and more powerful than ever.
To reduce an application’s attack surface, developers need to remove any components that aren’t needed. Use scripts to configure hosts properly based on the CIS benchmarks. Although legacy SCA and SAST tools can be slow and cumbersome to use, many have been evolving in recent years to support DevOps initiatives and automation, and they are still an important part of container security.