Container Virtualization and Development Security
Virtualization is the partitioning of a hardware server into several virtual machines (VMs). As a result, computing power is distributed among several “users.”
In simple terms, virtualization resembles a high-speed train, in which many passengers travel at once. They actually share the cost of fuel and vehicle maintenance, use it as needed and save space on the roads (compared to the situation where everyone could choose their own car instead of a train).
Virtualization is controlled by a software component called the hypervisor. It abstracts the VM from the hardware, so the user application does not know what works in the virtual environment.
This leads to the main advantage of virtualization: a virtual machine can be transferred from one server to another together with the operating system and applications.
How containers work
In the case of containers, it is not the hardware that is broken into individual components, but the operating system. Containers are an isolated environment for an application that contains everything necessary for its work, for example, program libraries, files and metadata.
It is possible to draw an analogy with sea containers, with the help of which individual shipments are transported on ships, wagons or trains. Software containers are modules with code that performs a specific task. Containers simplify assembly, testing and deployment pipelines in DevOps.
DevOps (development operations) is a methodology that began in 2009 and is aimed at the interaction of programmers and system administrators to increase the frequency of releases.
What is container management systems?
The container management system (orchestration system) is a web-based administration panel that manages the operation of containers. An example would be the open platform Kubernetes, developed by Google. There are other solutions – Docker, Rancher, OpenShift, and so on.
These solutions are needed for flexible scaling of the virtual infrastructure. These systems manage the “schedule” (they say when to start this or that service) and distribute the load on the servers so that computing resources are used evenly.
Developers and system administrators can finally agree on one thing – containers give developers the opportunity to experiment without any risks and restrictions. Virtual containers are directories (if you are a Windows supporter, you can call them folders), which are securely isolated from the rest of the operating system space. In essence, a container is a secure development system that shares the most important files with the host operating system, while allowing the developer to create an application without fear of possible negative consequences for the host. The container is equipped with its own IP-address, identifier, file system (only a few files are “borrowed” from the host) and the level of execution.
Everyone is already accustomed to the fact that system administrators and software developers are constantly arguing with each other about user rights, application rights, access with administrator privileges, application hosting, and requirements for allocated disk space. Container virtualization removes all these contradictions, except for the question of disk space. System administrators retain the privilege of allocating disk space for containers, but in other matters, developers administer their container as they wish. They can reload the container when they like, install any software and perform any tests and experiments without fear of disturbing the host.
What else makes containers so attractive for developers is the ability to debug the application in exactly the same environment in which it will be used. Traditionally, debugging is carried out in an environment that has a number of differences from industrial – a different processor architecture (for example, fewer cores), differences in versions of the basic software, a different schedule for installing updates.
These unpleasant differences create problems in software support that can drive an administrator crazy. Developers prefer to build applications using the latest versions of the software used. But working environment administrators will not allow to put such versions, as they have questions regarding stability and the presence of vulnerabilities, and these questions are quite fair, especially to software at the beta stage.
However, the use of containers removes a number of similar difficulties in debugging software on an industrial system. Developers can use the latest versions of the necessary tools and check the stability of their work. All possible vulnerabilities are “locked” in the container and do not carry risks for the industrial system.
However, the use of containers removes a number of similar difficulties in debugging software on an industrial system. Developers can use the latest versions of the necessary tools and check the stability of their work. All possible vulnerabilities are “locked” in the container and do not carry risks for the industrial system.
It is worth noting that Docker is one of the most popular container systems. It is an open platform that gives developers and system administrators the ability to create, distribute and execute distributed applications. In Docker containers, applications can run on any operating system. Using Docker allows you to accelerate the development of applications and reduce the time they prepare to start selling users.
Development safety
Important and necessary in the coming years, as the speed of development grows, cybersecurity shifts closer to the beginning of the cycle, and now developers are faced with the task of identifying threats and protecting them from the product not only during its launch, but also before the development cycle begins. Security solutions must be designed to successfully protect various environments (physical, virtual, and cloud), ensure that IT security and DevOps work closely together, and contribute to the consolidation of security tools and regulatory requirements, without interfering with development processes. With the growth of DevOps, new sources of vulnerabilities are emerging, and a larger segment of the business needs protection. This is where developers come to the aid of a new solution from Trend Micro, which expands the possibilities of protecting containers with the launch of Deep Security Smart Check.
Deep Security Smart Check helps DevOps experts ensure the safety of their development by quickly and continuously scanning for threats and vulnerabilities, a single control panel, notifications and scanning logs, thereby fulfilling the requirements of regulators. The Smart Check solution is optimized for leading container platforms with Docker API 2.0 support, such as the Docker Trusted Registry, Amazon Elastic Container Registry, Azure Container Registry and Google Container Registry; it also integrates with leading SIEM systems and orchestration tools, such as Jenkins, Kubernetes, SumoLogic, Splunk, etc.
If you are a developer, then you should try out the containers in your work. If you are a system administrator, then you should allow the use of these isolated environments in the systems you support, and Smart Check solutions allow architects and developers to embed security as code into applications before they are deployed, effectively providing protection in the early stages of development, and at the same time reducing the number of manual operations using automatic image scanning for new vulnerabilities and malware.