I am huge fan of using containers for development and production in order to keep parity across all environments where we develop and deploy our code.
Today I came across Containers Under Attack article, that talks about containers security, but I do not see mentioned their a thing that bothers me since I started using containers.
Stop here, read the article I linked above and then continue...
So the thing that bothers me the most is that a lot of developers are careless or unaware of the best practices for containers and they just treat them as a normal server or VM, where they ship all the software they need inside 1 single container, they even include unnecessary remote access like SSH or FTP!!!
Worst than this is that I see lot of containers running all services as root... really??? Please keep any service running under a unprivileged user, unless is strictly impossible to do it.
Another think to bear in mind is that when using a new technology is vital to take the time to study what are the best practices and how it can be secured properly.
Now if you want to really excel as a developer then try to understand how your current stack works under the hood in an high level overview. Remember that he best the developers are always the ones that grasp at least 1 level below the stack they are using.
What are your thoughts on this?
Top comments (9)
Well you hit 2 fine nerves
But like the article says, the biggest issue are the users, what apps they put in there and what images they use.
We already know that the weakest link in security are the humans so why containers would be any different :( :)
With containers the security of what is running inside of them may have declined because Developers are now tasked with something that shouldn't be for them to do... at least in a professional level.
Infrastructure is not for developers, but for DevOps, thus the later ones should be the ones creating the Container Stack to be used across development and production.
Trying to be the jack of all ends up in being the Jack of none and in the end Security is sacrificed, because no one can be the master of all.
NOTE:
Thanks for the link, but please next time put (pdf) so that we know we are opening a potential dangerous target... don't trust blindly in PDF's.
I agree, me as a Dev I rely on the devops to do those stuff for me and fix/consult if I did a mistake. I happen to know few more things because I have a passion for these sort of things (cloud, docker..) but is not my call to decide in the end.
PDF's can harm the browser? I presume some attacks can happen if opened by a full-capable reader, but I think the browser is limited, or not?
Well any site you visit can exploit vulnerabilities in the browser to compromise your computer. So always suspect of sites that keep spinning after all content have been loaded.
Regarding PDF's exploits see this article
Imho DevOps is not a role, DevOps is a culture and mindset - therefore it is for developers.
But people should receive the proper training and get enabled to keep security in mind - at best in a automated way... There are so many tools for ci/cd pipelines that take care of open ports, fuzzing input, container security....
I know that DevOps should be known as a culture but in practice as become a role category, let's say it is like the SysAdmin of the Cloud. We just need to take a look to job posts to see that DevOps is seen by the majority as role.
While everyone is pushing to the developer the responsibility of the infrastructure that is a huge mistake that is later paid with security holes, despite any software you put on it.
Developers time should be spent in solving the business problem they have been tasked with, not figuring out the infrastructure, because if they have to do it they will just try to make it work... and we all know how it end ups when the developer only tries to make it work.
If the devs produce software that is full with security issues - it has a business impact. just not a positive one ;)
Many developers I know of prefer using
ubuntu
for a base image instead of the lighteralpine
. Their logic is that in case you need to add more stuff later to the image, it is easy to modifyDockerfile
to runapt-get
because of the extensive repos and documentation for Ubuntu. On the other end of the spectrum are people shippingscratch
containers which do not work on many environments. I think it is a balance between developer convenience and efficiency.I agree with you that Ubuntu should not be used for a base image and more often than not Alpine is used because of the size not because of is excellent track record in security.
Scratch containers should be used only when you can release binaries for each platform you want to target.
Security should not be exchanged with convenience for benefit of developers.