Containers are the next big thing! They are the subject of tech gossip all over the world. As we are becoming more and more dependent on applications and they, in turn, on containers, the concern about container safety is real and valid.
But before we get into the myths about container security that are circulating among tech communities, let’s first get an idea of how big containers actually are.
What’s the Scale of Containers?
Containers have recently become outrageously popular and are being adopted at, maybe, a scale that nothing in the tech world has ever seen before.
According to a report by Gartner, as much as 70% of all organizations will use containers for at least three applications by 2023.
That is a massive number and is enough to highlight how important it is for containers to be safe.
But what is the actual state of container security? Let’s see some of the myths and the truth about them to get a realistic idea of the situation.
Myth 1 – Containers are Basically Insecure
This is the most damaging rumor about container security and also the most popular one. You don’t need to be a developer or cybersecurity expert to have heard this rumor. The narrative presented to support this myth says:
Containers are undoubtedly a secure way for different components of software to communicate and that is a great thing but containers can be connected in an insecure way. This can lead to developers building software that can leak critical data while it is in transit between containerized modules.
The simplest reply to this myth is that just because containers let you create software made up of messy, unsafe container connections, does not mean you should do that. In other words, if it is possible to develop an insecure application using containers, it does not mean containers are inherently insecure.
However, this must also be kept in mind that there are some real concerns about container security.
One of these is the recent spike in malvertising has shown that it is, at least theoretically, possible to misuse containerized ad delivery software to dispense malware.
The even bigger concern is that most of the firewall and malware detection programs are not currently equipped to identify and neutralize these threats.
As serious of a concern as it is, this still does not mean you should just stop using containers. All you need is to improve your security situation to prevent such attacks.
Myth 2 – Virtual Machines are More Secure than Containers
Another of the arguments from the anti-container people says that the sole purpose of developing containers was to emulate true virtual machines and actual virtual machines are significantly more secure than containers.
This argument is also flawed to some degree and shows just one side of things. Let’s have a look at the truth of the matter.
- Firstly, and most importantly, contrary to popular belief, containers were never meant to replace VMs or to make it easier to work with them. In fact, containers are a totally novel approach to application development. There are a number of things where containers and virtual machines are the exact opposite of each other. In short, VM models are more of a device-focused approach whereas, containers make use of a module-based framework.
- The second thing that nullifies this rumor is that containers and virtual machines are fundamentally different and there can be no comparison between the two. It just does not make sense to say that VMs are securer than containers.
When actually developing a secure app is making security a part of it from the very start. That needs one thing, a thorough understanding of the security of the platform that you are using.
Consequently, the logical reply to this myth is that if you are more experienced in the VM model of app development and know the details of its security, it is more secure.
On the other hand, if you are experienced in dealing with containerized apps, you can develop a secure app with containers.
Myth 3 – Compliance is Difficult When Using Containers
Of all the myths circulating about container security, this one is the closest to truth, but still not fully true. The people who support this idea say that developers who transitioned to containerized systems faced extreme difficulty in compliance over the last couple of years.
However, this does not mean that containers are inherently hard to scan and audit for compliance issues. It can rather be said safely that containers might even be easier to audit.
The main reason developers are facing this problem is that they are still new to containerized systems.
Evidence to prove this rumor wrong is the use of containerization by Instagram. This app, which is installed on every one in four smartphones manages to pass any compliance criterion set by the federal government.
This is because Instagram management makes liaison between compliance and development team so fluent that the compliance people can rectify any issue that can cause problems in time.
So can these myths/ rumors stop containers from being the next big thing? We think not. Here’s something to back that up.
Containers are Here to Stay!
Like it or not, these rumors about container security are here to stay for the foreseeable future and that’s not keeping containers back.
A 2019 survey by the Cloud Native Computing Foundation determined that the use of containers in application development has become the norm of the industry. Four of every five deployment projects use containerization in one way or another.
Summing It Up
That all boils down to one thing; if you are a developer reluctant to adopt containerization because of security concerns, you need to extend your knowledge on the subject.
Containers are not inherently insecure or non-compliant. All you need to do is to know them inside out and you can use them with no security concerns.