Aqua News

“SecDevOps [shifts] security to the left of the development cycle, allowing for security best practices such as image scanning, access controls, and other policy-based controls to be integrated at the beginning and throughout the development life cycle,” said Shahar Man, vice president of R&D for Aqua Security.

“What we’re seeing with DevOps and continuous integration and agile is an opportunity to insert security earlier in the process,” says Tsvi Korren, senior director for technical services at container security platform vendor Aqua.

The root of the problem lies with runC, the container runtime used by Docker. As Aqua Security explains:

There is a (very) small “window” of opportunity, before the runc init process execs the command inside the container, where the container has access to the runc init process on the host. This is because runc enters the namespace of the container before it execs the final command. This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system. Because many containers run as root, this indeed has serious implications.

According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container. Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host. This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security.

The vulnerability affects Docker, which issued a patch on Jan. 10. But bloggers at Aqua Security, a firm established by security veterans of Intel, CA Technologies and Imperva, said the vulnerability would be found in non-Docker container systems that make use of the Open Containers Initiative’s standard RunC code.

Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications. They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies.

2016 was a big year for the virtual container space, and 2017 looks even more promising. The industry saw tremendous growth and continues to evolve at a rapid pace. Containers, being still relatively new, present challenges in security, but the past year has seen much progress in addressing those challenges. As 2016 comes to a close, let’s reminisce on the most important milestones in the container market, more or less in chronological order

The new year promises rapid growth in containers, serverless and cloud-first application platforms. Kurt Marko identifies the PaaS tools to watch in 2017