Hi all,
I am sharing an article I recently wrote for SEI Insights, an online journal/blog from CMU:
https://insights.sei.cmu.edu/sei_blog/2020/04/7-quick-steps-to-using-containers-securely.html
It is free of charge to read, we are a non-profit, I don't get anything from this. So this not a marketing thing, just sharing.
Anyway, the intended audience was someone just getting into containerization (and not necessarily a big security budget) so just some basic security things for them to consider. Please share with anyone you think might benefit. Any feedback is welcome, good or bad, especially if you think there are some other obvious things that could be done that aren't mentioned. Also, if there is any container security areas you think warrant a deeper dive, please mention as I have been asked to eventually write a follow-on post for more advanced users.
Thanks you,
Tom Scanlon, CISSP
Software Engineering Institute
Carnegie Mellon University
Nice article for people that still equate the cloud to VM's. Figure 4 shows some promise. You are on the right path. Now, how about saying something about the security of the supply chain? That is where our containers originate. No one uses their own "private repositories". What about signed images? People need to know what to trust. I'll read the references for the details, thank you!
Thank you for the reply. There is a lot to say about supply chain, even just in this context, so that might make for a good deeper dive post. I did have something in their about signing images, I must have removed it during editing, so that needs mentioned for sure. Also, I do work with programs that use "private repositories", so that is a thing...maybe discussing/explaining that would make a good deep-dive post too. Thanks again for the feedback!