The convenience of containers can’t be overstated: Developers use them to build, package, run, and deploy applications across various environments, while streamlining testing and debugging, and supporting agile development practices. DevContainers support full-featured development environments, including tools, libraries, and runtimes to isolate dependencies and test applications in a production-like environment without worrying about conflicts.
But who’s responsible for securing and managing these containers? The development teams or their Operational Security Teams?
The answer is both, although the operational side needs to take more responsibility, says Peter Bookman, an entrepreneur with a long history of cloud, virtualization and edge computing security startups.
Peter’s current company, Guarddog.ai, recently released an end-to-end container security tool to maintain secure configurations and detect new threats across multi-container, work-sharing environments. In this show, he talks about the specific security risks if containers are not properly configured, maintained, accessed, and phased out. Then we discuss best ways product development leaders can work with operational security teams to address the SecOps in DevSecOps.
As Peter says in this interview, developers are overwhelmed with getting code developed, debugged, and out the door. And they’ve already taken on more responsibility for developing safe and secure code through testing and SBOM (Software Bill of Material) utilization. Securing their operational environment just adds to this burden.
“You want containers to be secure in order to protect your product and your brand,” he notes. “Product development teams and their security operations teams need to care about the container attack surface because it’s the biggest risk associated with your product running into problems than at any given point.”
Specifically, he points to risks around authenticating in a fluid environment with multiple groups across multi-cloud, multi-container environments. Yet, the SecOps people have little or no understanding of how developers work in these environments.
Take Kubernetes open-source container orchestration, for example. When he talks to product companies, usually their developers say that they are not responsible for securing the Kubernetes environment. When he talks to their operational cyber security people, they often don’t know or understand Kubernetes. “It’s very tricky to know who is authorized to do what, let alone get into a response and attack surface management plan,” he adds.
He feels strongly that cyber security teams supporting product companies need to get up to speed in operational support, and he discusses ways development team leaders can communicate their needs to their cyber security teams.
As he says, “The operational side needs to understand the art of developing code so that they can give their developers the right tools to continue developing their art.”
Tune in here for the full interview.
Resources:
Docker Container Management whitepaper.
Demo: Setting up scalable dev Containers and integrating with CodeSonar SAST to Support Dev Workflow.
Case study: Learn how CodeSonar SAST works in in a fast-moving Docker-based development hub to support remote workforce.
