Containers are everywhere. Despite application containers being around for only a few years, they have already become an important building block of modern application development.
But their popularity has made them a target for hackers, making container security an important area to supplement in the already extensive cybersecurity portfolio.
The need for container security
Containers owe their popularity to their lightweight, building block approach. They contain everything required to run applications, such as code, runtime, tools, libraries, and settings, and can run on top of an OS as designed regardless of the environment, so they’re more portable than virtual machines (VMs) and require fewer resources.
Container platforms such as Docker and Kubernetes include some native security controls, but as containerized application development often includes third-party software components that may have vulnerabilities, containers can be susceptible to rogue processes that are able to bypass the isolation that makes containers so valuable. That opens the door to unauthorized access to other container images, and if the container image itself includes a vulnerability, it can then be deployed unwittingly in applications. Misconfigured permissions can multiply these problems, so container security is too critical to be taken lightly.
Key container security features
Container security tools address a great many areas. But they should provide most of the following:
- Image scanning
- Runtime security
- Threat detection/vulnerability scanning
- Network security
- Incident response and forensics
- Integration with DevOps and SIEM tools
Best container security companies
Here are our picks for the best security tools for protecting your container environments.
Sysdig Secure is a SaaS platform that provides unified security across containers and cloud and is part of the Sysdig Secure DevOps platform. DevOps and security teams can use it to reduce risk with visibility across containers, hosts, Kubernetes, and cloud. It can detect and respond to threats and validate cloud posture and compliance. Additionally, it can maximize performance and availability by monitoring and troubleshooting cloud infrastructure and services.
- Image and host scanning: Automate scanning locally in CI/CD pipelines and registries without images leaving the environment. Consolidate container and host vulnerability management. Block vulnerable images from being deployed via an admission controller. Monitor for new CVEs at runtime and identify owners.
- Threat detection for containers and cloud: Secure containers, CaaS, Kubernetes, hosts and cloud infrastructure, with policies based on open-source Falco and Cloud Custodian. Avoid writing rules from scratch with ML-based profiling of container images.
- Network security: Visualize network communication between pods, services and applications inside Kubernetes; shorten time to implement network security by automating Kubernetes network policies.
- Incident response: Conduct incident response using granular data with Kubernetes and cloud context. Forward events to SIEM tools like Splunk, QRadar, AWS Security Hub.
- Cloud posture management and compliance: Continuously validate cloud security posture, meet compliance standards (ex. NIST 800-53, SOC2, PCI) and internal mandates.
- Unified security and monitoring in a single platform
- Native enforcement based on Kubernetes admission controllers and network policies
- Sensitive data doesn’t leave a cloud account
NeuVector takes a networking-focused approach to container security, providing automated segmentation capabilities and attack detection. It includes a container firewall that can filter application layer traffic to help identify anomalous behavior. NeuVector discovers normal connections and application container behavior and automatically builds a security policy to protect container-based services. Using process and file system monitoring with Layer 7 network inspection, unauthorized container activity or connections from containers can be blocked without disrupting normal container sessions.
NeuVector’s Key Differentiators
- Scans for vulnerabilities during the entire CI/CD pipeline
- Use the Jenkins plug-in to scan during build, monitor images in registries, and run automated tests for security compliance
- Prevent deployment of vulnerable images with admission control, and monitor production containers
- Deploys as a container onto virtual machines or bare metal OS environments
- Scanning and admission control during build, test, and deployment
- Scans containers, hosts, and orchestration platforms during run-time
- Risk scores and compliance reports
- Layer 7 container firewall
Alert Logic is a managed detection and response (MDR) provider that secures public clouds, SaaS, on-premises, and hybrid cloud environments. It provides a view of the security vulnerabilities within containerized environments by collecting and analyzing network traffic from the base host and the network traffic to, from, and between containers. Users know within minutes if exploits are actively targeting their container environment.
Alert Logic’s Key Differentiators
- Detect cyberattacks in real-time by analyzing the signature of data packets as they traverse containerized environments
- Collect, aggregate, and search container application logs to gain insight into container activity for optimal security and compliance
- Make your security as portable as your containers across cloud, hybrid, and on-premises environments
- Build a better view of security impacts with a graphical representation of the compromised container and its relationships
- Get proactive notifications from security experts when suspicious activity occurs
- Single integrated solution to protect all workloads – whether in a container or not
- Support for AWS, Azure, Google Cloud Platform, hybrid, and on-premises environments
- Addresses any workload in any container (Docker, Kubernetes, Elastic Beanstalk, Elastic Container Service, CoreOS and AWS Fargate)
There have been a number of acquisitions in the container security market in recent years, and the most recent was announced yesterday: Sophos is acquiring Capsule8.
Capsule8 detects and prevents unwanted activity on Linux systems that may jeopardize containerized environments. Threat models address workloads and container hosts. The product also allows users to create policies leveraging container metadata.
Capsule8’s Key Differentiators
- To test container protection, the company develops new container escape exploits for Linux kernel vulnerabilities
- The platform is a replacement for Intrusion Prevention Systems (IPS), File Integrity Monitoring (FIM), and Antivirus (AV)
- Protects cloud-native systems, orchestrators, container runtimes such as Docker, containerd, and CRI-O
- Restrict the ability for specific containers to write new files, run new programs after startup, read cloud metadata, have multiple users running, make outbound network connections, or spawn shells
- Detect unwanted activity on a per-container basis
- Minimize time to recovery by accelerating triage and incident response
Palo Alto Networks Prisma Cloud
Palo Alto Networks acquired container security firms Twistlock and Aporeto, and has incorporated their features into its Prisma cloud application. As a larger suite of cloud-based functions, Prisma Cloud is a cloud-native security platform with security and compliance coverage for users, applications, data, and the cloud technology stack.
Prisma Cloud Key Differentiators
- SaaS deployment option
- Vulnerability management, runtime security, compliance management, access control and repository scanning for container security
- Vulnerability intelligence from more than 30 sources provides risk clarity
- Prevent insecure configurations from reaching production
- Configuration assessment (runtime)
- Compliance monitoring and reporting
- Infrastructure-as-code (IaC) configuration scans
- Threat detection, and user and entity behavior analytics (UEBA)
- API-based network traffic visibility, analytics, and anomaly detection
- Malware scanning
- Enforces microsegmentation and secure trust boundaries
Aqua Security was an early pioneer of the container security space. It scans container images based on a stream of aggregate sources of vulnerability data (CVEs, vendor advisories, and proprietary research), which ensures up-to-date coverage while minimizing false positives. Additionally, it can find malware, embedded secrets, OSS licenses, and configuration issues in images.
Aqua Security’s Key Differentiators
- Discover malware hidden in open source packages and 3rd party images, preventing attacks on container-based applications
- Analyzes images before they arrive in a secure isolated sandboxed environment, examining and tracing behavioral anomalies
- Static and dynamic scanning to create flexible image assurance policies that determine which images would be allowed to progress through the development pipeline and run in clusters or hosts
- Aqua Risk Explorer is a Kubernetes-native visualization and prioritization tool that shows in real-time the risk factors within a Kubernetes cluster, namespace, deployment, node, and application
- Aqua vShield acts as a virtual patch to prevent the exploitation of a specific vulnerability and provides visibility into exploitation attempts
- Enforces the immutability of containers by preventing changes to a running container
- Behavioral profiling uses machine learning to analyze a container’s behavior, creating a model that allows only observed behaviors and capabilities to be accessed
Anchore provides products that enable organizations to scan and inspect public and private container images. At the core is an open source engine to scan images and achieve security compliance. Deployments of container-based infrastructure include a container registry where images are stored. Anchore scans the contents of container registries to ensure they are free from vulnerabilities and comply with security policies.
Anchore’s Key Differentiators
- Automatically fetches vulnerability data and scans images from registries
- Container registries include Harbor, Quay, JFrog, DockerHub, as well as offerings from AWS, Azure, and Google
- Reports and evaluations can be accessed using the CLI or Anchore Enterprise UI, and webhooks can trigger action in other systems
- Anchore Enterprise is a container security workflow solution that allows developers to bolster security without compromising velocity and verify compliance
- Open source tools for image inspection and vulnerability scanning perform analysis of container workloads
- Generates a software bill-of-materials to apply policy for container workloads on premises and in the cloud
- Ensures no secrets are present in images such as passwords and API keys
- Identifies non-OS third party libraries, including Node.js NPM, Ruby GEM, Python PIP, DotNet, and JAVA archives
Qualys Container Security offers visibility into container host security as well as the ability to detect and prevent security breaches during runtime. It gathers images, image registries, and containers spun from images. It also helps to determine if images are cached on different hosts, and identifies containers on exposed network ports running with privileges.
Qualys Key Differentiators
- Secures containers whether on-premises and in the cloud
- Enforce policies to block the use of images that have specific vulnerabilities, or that have vulnerabilities above a certain severity threshold
- Vulnerability detection and remediation in the DevOps pipeline by deploying plugins like Jenkins or Bamboo, or via REST APIs
- Search for images that have high-severity vulnerabilities, unapproved packages, and older or test release tags
- Container Runtime Security (CRS) offers visibility into running containers, as well as the ability to enforce policies that govern behavior
- Centralized discovery and tracking for containers and images
- View metadata for containers and images including labels, tags, installed software, and layers
- Coverage of Linux OS distributions to container-centric OSes, applications, and programming languages
Red Hat – itself owned by IBM – moved aggressively into container security earlier this year with the acquisition of StackRox, which claims an advantage over competitors with its Kubernetes-native architecture, making for richer context, native enforcement, and continuous hardening. In keeping with its open source heritage, Red Hat plans to open source StackRox technology.
StackRox Key Differentiators
- Kubernetes-native architecture leverages Kube’s declarative data and built-in controls for richer context, native enforcement, and continuous hardening
- Leverages the controls built into Kubernetes for policy enforcement, avoiding the operational risks of applying third-party in-line proxying or blocking tools
- Applies intelligence from runtime behavior to adjust subsequent builds and deployments to continuously monitor and shrink the attack surface
- Combining with Red Hat’s OpenShift enterprise Kubernetes platform gives the company a single platform for building, deploying and securely running applications across hybrid clouds
- In addition to OpenShift, StackRox will continue to support multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE)
Further reading: Application Security Vendor List for 2021