The advent of containers has changed not only how applications are deployed, but how IT shops do their daily business. Containers offer many well-documented benefits that span the full breadth of a modern IT department and the full lifecycle of applications. Securing containers, however, requires a mix of specialized and traditional security tools. We describe some of the most popular container security tools below, but first let’s look at the security challenges containers present.

Container security challenges

The benefits of containers, like the availability of standardized images, rapid iteration, and scalability, bring their own challenges to those responsible for enterprise security. Standardized images (standalone executable software packages) from public repositories and images built by internal development teams must be vetted and approved. The scalability and varying infrastructure backing containerized apps necessitates that any process or tool used to ensure the security of your applications be both dynamic and flexible.

Many businesses experience secondary benefits from containers through DevOps processes like continuous integration and continuous delivery (CI/CD). These processes dramatically increase the efficiency of the development and deployment process, putting pressure on security to maintain that efficiency while still securing critical corporate applications.

Many information security tools have limited use as your infrastructure matures and innovates with containers and a cloud-first architecture. For example, tools like endpoint protection, policy-based configuration, and network monitoring are ill-equipped to handle images that deploy automatically, iterate quickly, and scale dynamically. These tools often negatively impact performance and don’t provide great feedback to application developers or administrators.

A few traditional security components remain integral to a container-based infrastructure, however. Log analysis and security information and event management (SIEM) tools are key for consuming and correlating log data, though tools to streamline the process of identifying log data to pass to your SIEM are critical to maintaining full visibility.

A pain point for both traditional applications and those running in containers is secrets management, which includes things like credentials, API keys, or private certificates. Having credentials or API keys embedded within an application in plaintext is a common attack vector, and properly securing these secrets within any application is non-trivial. Containers add complexity to this problem. Embedding credentials into pre-packaged images is a major security concern. Managing these secrets throughout your infrastructure is also a significant effort. The ideal solution would be to apply these credentials at runtime, making secrets management a key need for any container security solution.

It’s not fair to paint containers as a security nightmare, because it’s simply not true. When properly managed containers offer an ideal framework for optimally securing your applications. The same flexibility container images offer for installation make them ideal for automated vulnerability analysis at multiple stages of the application lifecycle. Images may also be designated as read-only, or “immutable”, making it much harder for bad actors to compromise the container once it’s been deployed.

Similarly, your infrastructure can be architected to prevent containers from reaching outside their designated run space, a technique known as “container escape,” and potentially used to attack the host platform or other containers. Many of the tools listed here incorporate container security measures into a single pane of glass, making management and automation that much easier.

Securing containers and their platforms through traditional tools is a non-starter. Container security tools should leverage the same strengths and standards containers bring to integrate more tightly into DevOps processes. Why not provide developers visibility into compliance and policy rules as they are developing an application so they can address security concerns on the fly? Instead of manually creating policies, firewall rules, and even remediation processes, why not use code, automation, and tooling to help design, enforce, and report on security standards?

Security tools for a container-first infrastructure

Tools for securing containers and their platforms not only enable you to improve the security posture of your containers but integrate security more tightly into the entire container lifecycle, from development to runtime.

Alert Logic Managed Detection and Response (MDR)

The Alert Logic service focuses on intrusion detection through real-time analysis of network packets and application logs. MDR is not only a tool, but a managed service that provides security capabilities (either as a team with the professional tier or a dedicated analyst with the enterprise level, priced at $2,400 or $4,500 a month, respectively, with a three-year contract) to help monitor and secure an organization’s entire computing environment with specialized tuning for container-based workloads and applications.

Anchore Enterprise

Anchore Enterprise is geared more toward the development process than runtime, bringing graphical tools (as well as API-based management) to inspect images coming from public or private repositories, a searchable list of packages, as well as features like whitelists and blacklists. Anchore Enterprise integrates tightly with your CI/CD processes and facilitates compliance and best-practice checks throughout the development process. Anchore Enterprise offers tiered pricing based on feature set and throughput capacity.

Aqua Security

Aqua Security fully intends to secure the full container lifecycle with its cloud-native security platform. Aqua integrates with your CI/CD platform of choice as well as common image registries to identify potential vulnerabilities as early in the process as possible. Visibility into the various components of your container architecture is another key element Aqua provides, including cloud hosting, orchestration suites, and the networks connecting the different pieces. Aqua also talks to third-party secrets vaults, SIEM and alerting tools, and collaboration tools like Slack and Jira.

Aqua offers a variety of open-source tools as well as a free (non-production) developer license for their Aqua Wave solution. Aqua Wave and Aqua Enterprise are both priced based on enabled options and scale, with production licenses for Aqua Wave starting in the neighborhood of $10,000 per year.

Deepfence

Deepfence is a container monitoring solution that can provide dynamic policy creation and hardening, system auditing, and real-time monitoring, alerting and remediation. It has rich analytics capabilities that can be used to track application usage and performance over time, visualize system architecture, and investigate anomalous behavior. Deepfence licenses per node (running Deepfence agent) and offers both a free community edition and their enterprise edition, which is priced at $1,800 per node annually.

NeuVector

NeuVector is another option that inserts itself deeply into every aspect of the container lifecycle from development to runtime. Machine learning combines with integration into existing tools throughout the development and deployment process to identify anomalous behavior from applications and services. NeuVector even provides network traffic inspection at the application layer to prevent DDoS and DNS attacks. NeuVector licenses are available as an annual subscription starting at $1,200 per node/host.

Palo Alto Networks Prisma Cloud

Prisma Cloud is from one of the more established entities in network security and offers a feature set that compares favorably with the other tools covered here. While Palo Alto is generally known for its network security solutions, Prisma Cloud covers the entire container lifecycle, integrating all the way down into the tools developers already use like integrated development environments (IDEs) and software configuration management (SCM) tools. This push to integrate security into the process as early as possible allows for more rapid iteration and a more efficient development workflow. Prisma Cloud is licensed by the workload, which is generally defined as a resource in a cloud account.

Qualys Container Security

Qualys Container Security is another platform that does the full lifecycle, integrating with the DevOps pipeline, scanning images for vulnerabilities, and monitoring containers at runtime. Qualys also goes a step further and talks to common applications running in your containers monitor their health and identify potential vulnerabilities. Qualys offers licensing for both container security assessments and runtime protection based on host and node or per running container.

StackRox Kubernetes Security Platform

StackRox Kubernetes Security Platform brings the same intent to mature your container development lifecycle into an integrated DevSecOps process, and adds the ability to tie directly into Kubernetes, leveraging and enhancing native Kubernetes security controls. StackRox supports compliance assessments that identify variance from CIS, PCI, HIPAA and NIST standards and best practices, and will even let you simulate changes to network policies to predict their impact. StackRox licenses its security platform based on the number of Kubernetes worker nodes in use.

Sysdig Secure

Sysdig Secure begins looking after your container security during the CI/CD process or through integration with any Docker v2-compatible image registry. Vulnerability management is handled through a workflow-based process that supports grace periods based on vulnerability severity. Sysdig also gives you tools to detect configuration weaknesses, secret usage, and best practice violations. Sysdig offers three solutions (Sysdig Monitor, Sysdig Secure, and the Sysdig Secure DevOps Platform) at two pricing levels (Enterprise and Essentials). Essentials costs $20 monthly for Monitor, $40 for Secure, or $50 monthly for the full DevOps Platform. Enterprise pricing will depend on your requirements and will require a call to the Sysdig sales team.