Many organizations have adopted or are currently adopting containerization as a strategy for deploying their applications. This provides numerous benefits but also presents challenges when security is taken into consideration, the least of which is tool sprawl.
This is exemplified by the fact that a single Docker container could be run on the serverless container services on any of the big cloud providers, as well as on a Docker host installed on a PC running under a developer’s desk. Moreover, vulnerabilities present on the operating system host, the container host, or the container workload itself all present attack surfaces for bad actors to leverage against organizations.
This begs the question: how do security teams gain confidence that they are addressing vulnerabilities across these tools in a holistic manner. They need to be sure that they are addressing vulnerabilities across the host operating system (where available), the container host and the container workload itself. Moreover, they need to be aware of the phases at which vulnerabilities are introduced, which include pre-deployment, within the CI/CD pipeline, and finally at runtime.
Dane Grace presents the 9-box model of container VRM, which is a conceptual framework that helps security teams identify the layers of technology and phases of deployment that they need to address.