Cloud Security Series #7

Vulnerability Management System.
Part 2: Containers

In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of 🎯 Vulnerability Management. See Part 1: Hosts to learn about hardening pipelines for virtual host images (AMIs).

❓ How would you approach the implementation of the following?
– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;

💪 Here is how, and while it’s quite challenging, it is *very* rewarding from the cybersecurity perspective:

— Part 2 – Containers —
1. Choose a *base* Operating System (OS) for your container images, and make it a standard across your cloud environment. Ensure that the OS is actively maintained and supported. It is a best practice to choose a base OS for container images matching your selected base OS for the AMIs.

2. Establish “Hardening” pipeline for your base OS image to produce what is usually called a *Golden Container Image*. Use the same pipeline orchestration tools you are using to produce your Golden AMI.

3. Choose the hardening benchmarks that apply to your particular case and implement security recommendations into your image hardening pipeline. Good examples are:
– CIS Docker Benchmarks (https://lnkd.in/ezJQ_Cw6) maintained by Center for Internet Security.
– DoD Guidance on Container Image Creation and Deployment (https://lnkd.in/en_WPBd3)

To save you time on implementing these security recommendations, you may choose to adopt an already-hardened base container image from a trusted public registry, such as United States Department of Defense‘s Iron Bank (https://lnkd.in/eYzub-Gj).

4. Add verification step to your hardening pipeline, to ensure that all security patches have been applied. Automated tests on CIS Benchmarks are available via Docker Bench for Security (https://lnkd.in/e_7nXBxp) on GitHub; to verify DISA STIGs implementation, you could use OpenSCAP tools such as, for example, `oscap-containers` (https://lnkd.in/eNZwrhCZ).

Now, we have covered the Security Patching side of things for Hosts (in Part 1) and Containers (here). This is a good portion of the VMS already, but the story has not finished yet.

to be cont’d…