Container security threat vectors

Keep an eye out for these threats throughout the container lifecycle

By

Matt Colman

New threat vectors

As described in NIST SP 800-190, Application Container Security Guide, a containerized environment introduces the following new threat vectors that must be secured:

  • Image

    • Image vulnerabilities
    • Configuration defects
    • Embedded malware
    • Embedded clear text secrets
    • Untrusted images
  • Registry

    • Insecure connections to registries
    • Stale images in registries
    • Insufficient authentication
    • Insufficient authorization restrictions
  • Orchestration

    • Unrestricted admin access
    • Unauthorized orchestrator access
    • Poorly isolated inter-container network traffic
    • Mixing of workload sensitivity levels
  • Container

    • Runtime software vulnerabilities
    • Unbounded network access
    • Insecure runtime configurations
    • Application vulnerabilities
    • Rogue containers
  • Host OS

    • Large attack surface
    • Host OS component vulnerabilities
    • Improper user access rights
    • Host OS file system tampering
    • Poor host OS configuration

Security across the lifecycle

These threat vectors are typically encountered in the three phases of the container lifecycle -- build, ship, and run:

Container lifecycle threat vectors

Although this learning path focuses only on the container image, it is important to plan and code security to target all of these threat vectors. You should also be sure to include security across all the phases of the lifecycle, implementing a DevSecOps approach.

Security lifecycle flow