Aqua News

According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container. Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host. This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security.

The vulnerability affects Docker, which issued a patch on Jan. 10. But bloggers at Aqua Security, a firm established by security veterans of Intel, CA Technologies and Imperva, said the vulnerability would be found in non-Docker container systems that make use of the Open Containers Initiative’s standard RunC code.

Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications. They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies.

2016 was a big year for the virtual container space, and 2017 looks even more promising. The industry saw tremendous growth and continues to evolve at a rapid pace. Containers, being still relatively new, present challenges in security, but the past year has seen much progress in addressing those challenges. As 2016 comes to a close, let’s reminisce on the most important milestones in the container market, more or less in chronological order

The new year promises rapid growth in containers, serverless and cloud-first application platforms. Kurt Marko identifies the PaaS tools to watch in 2017

Central control of access policies is another area where container management software is wanting. Microsoft recently made a significant investment in Israeli security startup Aqua Security with software that automates and monitors policy enforcement throughout the container lifecycle.

Security, of course, is vitally important in all spheres of IT and telecom. This is nowhere truer than in DevOps. Code that has fatal flaws built in is a disaster waiting to happen. Another set of lists, this one on DevOps security, was offered last week by Aqua Security Co-Founder and CTO Amir Jerbi.

Byline by Aqua CTO Amir Jerbi – It’s no secret that devops and IT security, like oil and water, are hard to mix. After all, devops is all about going fast, while security is all about proceeding carefully. However, both devops and security serve a higher authority—the business—and the business will be served only if devops and security learn to get along.