LAS VEGAS – Developers are often viewed as the aggressors when it comes to online security. But participants at a Black Hat USA session argued that developers were actually the new targets of attacks. This is increasingly coming to light as container developers become a bigger part of enterprise operations.
Sagie Dulce, senior security researcher at Aqua Security, said developers in charge of microservices and container deployments have become a prime target by their peers of security attacks.
Dulce said most developers are not paid to “think security” when working on platforms. This leads to developers taking short cuts when initially setting up a container or Docker deployment in an attempt to speed up work, but at the expense of security down the road.
“It’s not secure, but you might do it anyway because it helps to get things done,” Dulce said. “A single developer can lead to all containers being infected.”
Docker API Attack
Since this was the Black Hat conference, Dulce then went into great detail on a way to hack a Docker application programming interface (API).
The complex (for a non-developer) attack included three different steps, which resulted in the insertion of an undetectable “shadow container” running on a developer’s system. The shadow container allowed the attacker to gain control of the container environment and corresponding applications running in that environment.
The attack was shown on a Windows-based server, though Dulce said it could also be performed on a Linux or Mac device as well.
Docker reportedly had already patched the vulnerability, working on information provided by Dulce.
The demonstration followed a Black Hat session where Capsule8 CTO Dino Dai Zovi also showed an attack on container orchestration platforms. Dai Zovi concluded that the Docker Swarm orchestrator was the “gold standard” among its peers in terms of orchestration security.
Following the breach, Dulce provided a few tips for averting similar security attacks. He said to refrain from having to expose the container API, but if you do, make sure the clients are authenticated to access the container environment.
“Bottom line is you don’t know how you are going to be attacked,” Dulce said.
Despite the noted security threats, enterprises appear to be coming around when it comes to confidence in container security. Gartner recently said it believes that, “by 2019, 90 percent of enterprises will consider properly secured container deployments as secure as virtual machines, up from less than 20 percent in 2016.”
As with many security platforms, Gartner explained that container security concerns are often due to the deployment method and not necessarily the technology itself.
“Containers are not inherently unsecure, but they are being deployed in an unsecure manner by developers, with little or no involvement from security teams, and little guidance from security architects,” the analyst firm said. “Traditional network and host-based security solutions are blind to containers.”