About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
New threat vectors
As described in NIST SP 800-190, Application Container Security Guide, a containerized environment introduces the following new threat vectors that must be secured:
Image
- Image vulnerabilities
- Configuration defects
- Embedded malware
- Embedded clear text secrets
- Untrusted images
Registry
- Insecure connections to registries
- Stale images in registries
- Insufficient authentication
- Insufficient authorization restrictions
Orchestration
- Unrestricted admin access
- Unauthorized orchestrator access
- Poorly isolated inter-container network traffic
- Mixing of workload sensitivity levels
Container
- Runtime software vulnerabilities
- Unbounded network access
- Insecure runtime configurations
- Application vulnerabilities
- Rogue containers
Host OS
- Large attack surface
- Host OS component vulnerabilities
- Improper user access rights
- Host OS file system tampering
- Poor host OS configuration
Security across the lifecycle
These threat vectors are typically encountered in the three phases of the container lifecycle -- build, ship, and run:
Although this learning path focuses only on the container image, it is important to plan and code security to target all of these threat vectors. You should also be sure to include security across all the phases of the lifecycle, implementing a DevSecOps approach.
