Aqua News

Container Security Platform 2.0 release aims to help further segment application container traffic and adds new support for secrets management.

“Traditional host-based security agents don’t understand containers and lack the context to enforce different policies on different containers in the same host.” notes Neil MacDonald, VP Distinguished Analyst at Gartner Research, “Depending on the network architecture used, container-to-container traffic within a physical host may not be visible to external network firewalls and intrusion detection and prevention systems.”

Aqua Security, provider of the leading platform for securing containerized applications, today announced the release of version 2.0 of its Container Security Platform (CSP). Aqua CSP Version 2.0 features automated nano-segmentation of container network traffic, cross-platform secrets management, and sensitive data discovery. Other enhancements include management by labels, integration with Atlassian Jira, and large-scale vulnerability scanning.

Aqua’s CTO Amir Jerbi suggests some key things DevOps should know about securing containerized applications.

“SecDevOps [shifts] security to the left of the development cycle, allowing for security best practices such as image scanning, access controls, and other policy-based controls to be integrated at the beginning and throughout the development life cycle,” said Shahar Man, vice president of R&D for Aqua Security.

“What we’re seeing with DevOps and continuous integration and agile is an opportunity to insert security earlier in the process,” says Tsvi Korren, senior director for technical services at container security platform vendor Aqua.

The root of the problem lies with runC, the container runtime used by Docker. As Aqua Security explains:

There is a (very) small “window” of opportunity, before the runc init process execs the command inside the container, where the container has access to the runc init process on the host. This is because runc enters the namespace of the container before it execs the final command. This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system. Because many containers run as root, this indeed has serious implications.

According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container. Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host. This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security.