Software programming development container setting security issues?

With the continuous development of the Internet, we have new methods in the fields of software programming and development, hardware equipment architecture, etc., but we have never forgotten the environmental optimization of security issues. Let's take a look at the following computer training to find out what security problems exist in container settings.

Isolation; isolation;quarantine

In the early days, many enterprises would use hardware virtualization. After changing to a container, it should be noted that the isolation mentioned in the container is very different from virtual machine (VM) isolation. When an application is attacked, the isolation provided by VM can effectively limit the horizontal movement of the attacker in the application stack, but the containerized application * * * enjoys the host operating system resources and cannot be completely isolated. However, there is no significant difference in the probability of attack between the two, except that the impact range of the virtual machine after being attacked will be relatively small.

A simple way to solve the isolation problem is to run the container on the virtual machine. The significant advantage of containers is that the runtime can run anywhere, including virtual machines that are gradually abandoned. Some enterprises run containerized applications on virtual machines, and isolate containers through virtual machines to prevent attackers from moving horizontally in the application stack and accessing data belonging to other applications. Although this policy can limit the severity of the attack, it will not prevent the attack from happening.

run time

The dynamic nature of containers introduces new runtime complexities that application deployment teams must understand and manage. Container orchestration systems like Kubernetes are designed to quickly provide replicated instances of container images. A containerized application consists of one or more container images, which are coupled to form the functions required by the application.

Application scalability refers to the ability to deploy a specific number of container images at a given point. When new features are ready to be deployed, the application owner will create an update policy to ensure that existing users of the application will not be affected by the update. This update policy defines the percentage of mirrors that are rolled forward for updates and how to roll back when errors are found.

Due to the dynamic nature of containerized deployment, IT is more difficult to monitor malicious behavior or unauthorized access than traditional IT environment. Containerized applications usually have different resource requests, which are shared at the host server level. For these reasons, IT operations and security teams should cooperate with their development teams to share information to understand the expected behavior of applications.

Runtime security solution is a common option to detect and prevent malicious activities in real time. By monitor network calls to that host and try to log in to the container, these solutions build a behavior model of each application in the environment, which can understand the expected network operation and file system and operating system activities and functions.

Patch management

Most container applications are created from basic images, which are essentially limited lightweight operating systems. Application container mirroring combines the basic image with application-specific elements (such as framework, runtime and application itself), and each element is a layer in the mirroring, which may lead to software vulnerabilities and risks. Traditional application security testing focuses on application vulnerabilities, while containerized application security testing must solve the hidden vulnerabilities in the image layer.