cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
scanlon
Newcomer I

Application Container Security Basics

Hi all,

 

I am sharing an article I recently wrote for SEI Insights, an online journal/blog from CMU:

https://insights.sei.cmu.edu/sei_blog/2020/04/7-quick-steps-to-using-containers-securely.html

 

It is free of charge to read, we are a non-profit, I don't get anything from this. So this not a marketing thing, just sharing.

 

Anyway, the intended audience was someone just getting into containerization (and not necessarily a big security budget) so just some basic security things for them to consider. Please share with anyone you think might benefit. Any feedback is welcome, good or bad, especially if you think there are some other obvious things that could  be done that aren't mentioned. Also, if there is any container security areas you think warrant a deeper dive, please mention as I have been asked to eventually write a follow-on post for more advanced users.

 

Thanks you,

Tom Scanlon, CISSP

Software Engineering Institute

Carnegie Mellon University

 

 

Tags (2)
2 Replies
AppDefects
Community Champion

Re: Application Container Security Basics

Nice article for people that still equate the cloud to VM's. Figure 4 shows some promise. You are on the right path. Now, how about saying something about the security of the supply chain? That is where our containers originate. No one uses their own "private repositories". What about signed images? People need to know what to trust. I'll read the references for the details, thank you!

 

Source: Thomas ScanlonSource: Thomas Scanlon

 

scanlon
Newcomer I

Re: Application Container Security Basics

Thank you for the reply. There is a lot to say about supply chain, even just in this context, so that might make for a good deeper dive post. I did have something in their about signing images, I must have removed it during editing, so that needs mentioned for sure. Also, I do work with programs that use "private repositories", so that is a thing...maybe discussing/explaining that would make a good deep-dive post too. Thanks again for the feedback!