As most security pros know, application containers — Docker, rkt, etc. — and the orchestration elements employed to support them, such as Kubernetes, are used increasingly in many organizations.
Often the security organization isn’t exactly the first stop on the path to deployment of these tools. (If it was in your shop, consider yourself one of the lucky ones.) Instead, usage tends to emerge from the grass roots. It starts with developers using containers on their workstations to streamline unit testing and environmental configuration; builds traction as integration processes adapt to a more “continuous integration” approach facilitated by containers; and ultimately gains acceptance in the broader production landscape.
In short, as is often the case, many security pros find out about the usage when their organization is already waist-deep in it.
This puts security practitioners in a bit of a rock-and-a-hard-place situation. Not only do we need to secure the container runtime and orchestration environments — we need to do so at the same time that we provide assurance for the applications, supporting libraries, middleware components, etc., stored inside those containers.
We need to do all of this without sacrificing the quality or rigor of efforts in other areas, while building expertise on the nuances of the different container engines, orchestration environments, microservice architecture approaches, and cloud technologies that support their use.
Sound challenging? You bet it is.
This means that security pros — particularly those on the more technical end of the spectrum — need every advantage they can get when it comes to securing containers. Any “force multiplier” helps: automation, discovery and visibility tools, better monitoring, etc.
There are numerous commercial tools out there that can help in these areas (and in many others), but sometimes you need help right now. You may not be able to wait for a budget cycle to buy a tool off the shelf. In that case, open source options can provide an on-ramp without waiting for budget.
What’s in That Container?
Now, there are a few open source tools that are making a splash in the container security world, but the one I’ll focus on here is
Anchore Engine, which targets a challenge many organizations have: specifically, unpacking, validating, and providing assurance for container contents.
Anchore Engine is an open source (Apache License 2.0) project that can help you in two ways, out of the box. First, it will give you an analysis of what is inside a given container. This includes providing an inventory of software — both operating system components and supporting packages — and artifacts like JRE versions, intermediate libraries, etc.
“Anchore Engine is an open source tool for performing deep inspection of container images,” said Ross Turk, Anchore VP of marketing. “These images can contain a whole lot: operating system packages, language libraries, credentials and secrets, and configuration that affects how the resulting containers are executed. Anchore Engine flattens and unpacks the image, layer by layer, and inventories what’s inside.”
This information is valuable not only because it provides information on what software may need to be updated in the event of security patches or updates, but also because it gives you visibility into the implementation of applications and services before, after, or during their release into the production environment. It can inform software architecture reviews, threat modeling, conversations about secrets management, audit activities and design reviews, among other things.
It’s also useful because it can help you understand where issues might be in individual containers. For example, you can use it to analyze what vulnerabilities (categorized by CVE number) are present on the container by virtue of the software installed.
In a way, it’s similar to getting vulnerability scan results for your containers; however, unlike vulnerability scanning, the container doesn’t need to be “live” to gather this information. So if you have a serialized container (for example stored in a registry or on a developer’s workstation), you still can gain information about what vulnerabilities might impact the software on those containers.
Integrating Into Your Environment
There are, of course, numerous other tools that do similar things — some commercial as well as other open source options. Regardless of whether you are already planning for or evaluating other options to do this, one advantage that an open source option provides (and where Anchore Engine excels) is that you can kick the tires and get started right away.
There are two advantages to this. First, there is immediate security value without the need to wait for a budget cycle or a lengthy integration cycle. It’s an ideal stopgap, even if you ultimately choose to investigate (or go with) another product offering. You can get an idea for the value provided by tools like this, and you can start gathering information immediately.
The second advantage is that it lets you experiment. You actually can experiment with where and how to integrate the data provided by the tool into your release pipelines or operational processes.
Keep in mind that there are numerous options here. You might decide, for example, that you will focus on the left side of the equation and enable developers to examine and evaluate containers themselves — for example, by training them on how to minimize unneeded supporting code, stale libraries, unnecessary packages, or known-vulnerable versions of software.
Alternatively, you might decide that the functionality is most valuable in your CI/CD pipeline, and you might write scripts to automate evaluation as container images make their way through. Lastly, you might decide that you want to gather better information about container images already in production, and use the tool as a way to gather information about what you already have deployed.
Turk outlined how — and why — organizations can get started with usage.
“We believe that deep image inspection should be a best practice for all those who work with containers,” he said. “Anchore Engine is free and open source and can be easily integrated into any CI/CD system. There really is no reason not to scan images before you publish or deploy them, and Anchore Engine comes with an out-of-the-box policy that can raise an alarm for the most commonly encountered vulnerabilities. We recommend that all developers integrate image scanning into their workflow, ideally through one of the many available CI/CD integrations.”
Regardless of where and how you decide to employ it, there is a rapid on-ramp. You can get up and running with five bash commands on a system with connectivity and Docker Compose already installed. No initial dollar investment is necessary to get started. How can you beat that?
The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.
London police to use face scan tech, stoking privacy fears
LONDON (AP) — London police will start using facial recognition cameras to pick out suspects from street crowds in real time, in a major advance for the controversial technology that raises worries about automated surveillance and erosion of privacy rights.
The Metropolitan Police Service said Friday that after a series of trials, the cameras will be put to work within a month in operational deployments of around 5-6 hours at potential crime hotspots. The locations would be chosen based on intelligence but the police did not say where, the number of places, or how many cameras would be deployed.
Real-time crowd surveillance by British police is among the more aggressive uses of facial recognition in wealthy democracies and raises questions about how the technology will enter people’s daily lives. Authorities and private companies are eager to use facial recognition but rights groups say it threatens civil liberties and represents an expansion of surveillance.
London’s decision to use the technology defies warnings from rights groups, lawmakers and independent experts, Amnesty International researcher Anna Bacciarelli said.
“Facial recognition technology poses a huge threat to human rights, including the rights to privacy, non-discrimination, freedom of expression, association and peaceful assembly,” Bacciarelli said.
London police said the facial recognition system, which runs on technology from Japan’s NEC, looks for faces in crowds to see if they match any on “watchlists” of up to 2,500 people wanted for serious and violent offences, including gun and knife crimes and child sexual exploitation.
“As a modern police force, I believe that we have a duty to use new technologies to keep people safe in London,” Assistant Commissioner Nick Ephgrave said in a statement.
The British have long become accustomed to video surveillance, with cameras used in public spaces for decades by security forces fighting terror threats. Real-time monitoring will put that tolerance to the test.
London is the sixth most monitored city in the world, with nearly 628,000 surveillance cameras, according to a report by Comparitech.
London’s move comes after a British High Court ruling last year cleared a similar deployment by South Wales police, which has been using it since 2017 to monitor big events like soccer games, royal visits and airshows. That system deleted people’s biometric data automatically after scanning.
Britain’s privacy commissioner, Elizabeth Denham, who had warned police not to take that ruling as a blanket approval, struck a cautious tone on Friday.
She said that while London police have stated they’re putting safeguards and transparency in place to protect privacy and human rights, “it is difficult to comment further on this until we have an actual deployment and we are able to scrutinize the details of that deployment.”
Signs will warn passersby about the cameras and officers will pass out leaflets with more information, the police said, adding that the system isn’t linked to any other surveillance systems.
London police previously carried out a series of trial deployments that they say identified 7 out of 10 wanted suspects who walked past the camera while only incorrectly flagging up 1 in 1,000 people. But an independent review last year by University of Essex professors questioned that, saying the trials raised concerns about their legal basis and the equipment’s accuracy, with only 8 of 42 matches verified as correct.
Pete Fussey, a University of Essex professor who co-authored the report, said NEC has upgraded its algorithm since then, but there’s evidence that the technology isn’t 100% accurate, pointing to a recent U.S. government lab’s test of nearly 200 algorithms that found most have ethnic bias.
“If you’re using the algorithm you should be aware of its shortcomings,” he said. “It’s vanishingly unlikely that NEC’s algorithm will be effective across all ethnic categories.”
For all of AP’s tech coverage, visit: https://apnews.com/apf-technology