Normally we think of the security aspect of IT as being the slowest to adopt new technology. But in the case of DevOps, this might not be true at all. There are situations where SecOps (AppSec, if you prefer) can actually drive modern delivery. Immutable containers and container security are leading organizations to modernize their software delivery chain faster.
Lead the Witness
While DevOps technology is moving at the pace of a cheetah (the top speed of a cheetah is 75 mph), SecOps seems to move backwards. The primary reason is that the drivers are misaligned. DevOps folks probably talk about releases more than anything else—getting code out the door. And SecOps folks are finding the next “look, see” moment with the latest tech breach news.
The catalysts can’t be any more different, and DevOps seems at times to even work against security. But as the anxiety around IT security increases, modern technology is increasingly coming to lick the wounds. And for some, faster, more elaborate solutions to secure applications are pushing dev teams to adopt modern delivery chains.
Docker containers are that sort of technology, even after a barrage of complaints about its weaknesses in networking, and lack of visibility. This is really not the case anymore. Docker, at every DockerCon, announces more functionality to secure containers, which allows one key feature of containers to finally shine. And that is the fact that they can be, and should be, immutable.
As Chris Tozzi mentioned in his 2017 predictions post “Security Gets Serious,” it’s not that security was not always serious—it’s that already-known security practices now have a foundation of a mature but agile technology to be built upon.
The benefit of immutable containers is that threats and malicious code can be hermetically sealed. All artifacts, licenses, and OSs are fully contained. So if there is an issue, it can be fixed in a repeatable way without fear of missed variables. And once a container is launched, there are no access requirements beyond what is needed to support the application. You have fewer holes. There is no need for someone to log in and make potentially risky changes. You know exactly what is on each container—so immutable containers provide security both in prevention and response, versus most SecOps tools only focused on one or the other.
This means that unlikely vendors, those that have a strong foothold in DevOps, are also providing technologies to the security folks (consider Vault from HashiCorp, which is in the top two revenue-generating products the company has). HashiCorp has been associated mostly with making developers move faster, and part of that is streamlining and providing better control to manage and store keys. There’s also TwistLock that provides greater visibility into containers and enterprise-grade SecOps technology, and Portworx—which brings flexibility and security to persistent storage and data associated with containers.
These container-native technologies, combined with a delivery chain that automates security along with releases, complete the whole cycle without performance degradation. Processes such as container scanning, and private container repos like Sonatype, JFrog, etc. make sure that if there is an issue, all the parts get fixed permanently, you have a clear inventory, and a system of record for all your services.
Where Security Promotes Adoption
Developers are becoming more accountable, and the first line of defense for security issues. But they still don’t have the tools, time, or experience to be effective. This is why I believe strongly in a highly skilled SecOps team. But that team has to have the same objective, and also know how to move fast. Now that Docker has taken the punches over the last few years and responded by building more and more stability and maturity into their product, processes and vendors can embrace the powerful nature of immutable containers.
This has made it possible for SecOps folks to see a direct benefit of containers and security. They are self-contained, and have a very clear bill of materials. They can build processes to vet everything on them, and if an exploit is found, isolate all impacted containers and kill them immediately. They support full automation, remove some human touch points, and are scalable without additional risk.
Which makes me wonder—Had Docker not been a tool built by developers for developers, and built with security first, would we developers be fighting its adoption?