The growing demands and complexities of today’s technologies have led most organizations to adopt a strategy called containerization. As IBM explains it, containerization is the packaging of software code with just the operating system (OS) libraries and dependencies required to run the code to create a single lightweight executable—called a container—that runs consistently on any infrastructure. More portable and resource-efficient than virtual machines (VMs), containers have become the de facto compute units of modern cloud-native applications. [^1]

Containerization is popular in the modern setup of application development because it offers multiple benefits in terms of portability, efficiency, agility, faster delivery, easier management, and flexibility. It is especially beneficial in addressing the intricacies of deploying and managing applications.

However, containers, like any technology, also come with their own challenges. One of these is related to security. The concept of containerization and process isolation is decades old, but the emergence in 2013 of the open-source Docker Engine accelerated the adoption of this technology. However, some developers lack the skills and knowledge to manage this technology. This has opened opportunities for attackers to find weaknesses and vulnerabilities in applications.

There are a few techniques that the organizations’ DevSecOps Team can apply to ensure security in their containers:

1. Scan container images

Container scanning is a security measure for detecting known vulnerabilities within container images so that developers can remediate security issues before they become a problem. Scanning can be added to the Continuous Integration/Continuous Deployment (CI/CD) pipeline before deployment to ensure that all images that go to production are secure and free of vulnerabilities. In addition to that, the team can set up a script to perform the scan daily. If vulnerabilities are found, the script can be integrated with Slack to send an alert so that the team can look into those issues promptly and remediate them.

There are multiple options of container scanners to choose from. There are enterprise scanners that incur some costs, but there are some good choices from open source as well. One example is grype, an open-source scanner by Anchore.

2. Run containers as non-root

One of the best practices for containerization is to run containers as non-root users. By default, Docker containers run with the root privilege (uid 0), including the application that runs inside them. With this, attackers can gain root access to the host by hacking the application that is running inside the container. A simple method to run your container as non-root user is to provide the instruction using Dockerfile. To do this, you can add the User using the −u flag along with the useradd command and then using the USER subcommand.

# Add a new user "non-root-user" with user id 8877
RUN useradd -u 8877 non-root-user
# Change to non-root privilege
USER non-root-user

3. Set resource limits for your containers

Neglecting to configure resource limits in your deployment can allow attackers to compromise your application for availability. Configurations should specify limits for the resources that can be used by containers and pods to prevent denial of service when demand spikes. If you are using Kubernetes, you can set your resource configuration in your deployment.yml like this:

        resources:
          requests:
            memory: "1024Mi"
            cpu: "0.1"
          limits:
            memory: "2048Mi"
            cpu: "3"

Ensuring security practices for containers is sometimes neglected because they can be quite complicated. Some teams think that since everything is working, their setup is already fine and that there aren’t any problems. It’s not until they get hit with a DoS attack or a security breach that they realize the importance of these practices.

It may be hard at first to learn how to enforce the standards to make your containers secure, but in the long run, it will save you some headaches.

---

[^1] IBM Cloud Education, 'Containerization Explained | IBM', IBM Cloud Learn Hub, ibm.com/cloud/learn/containerization