The attraction of a DevOps strategy is understandable, but sometimes I feel like the speed of business should be just a bit slower.
At least slow enough so we security professionals can properly get on-board. The most recent indicator of this need is the runC vulnerability just identified in the most common container toolsets in use today. Docker, Kubernetes, or anything in this family of tooling, are potential candidates for patching against what some are calling the “Doomsday Docker” vulnerability.
In summary, a vulnerable and unpatched version of software opens up the underlying host system to a miscreant gaining root-level permissions and ultimately compromising every container on that host.
Patching aside, there are available solutions that focus strictly on securing the DevOps container ecosystem and provide a foundation for moving to a true DevSecOps strategy. If you do not fully understand the container security market today, or how to broach that topic with your development teams, Sayers can assist.
Security Exploit CVE-2019-5736 Advisory References: