Without a doubt, the concept of containerization is bringing new energy to modernization efforts across government.
Containers revolutionize the way organizations build, deploy, and manage applications. A container is an executable package of software that comes with everything you need to run an application – not just the code but all the necessary system tools, libraries, dependencies and files. By designing a full runtime environment, developers can create an application that can be easily moved from one platform to another.
Think of an application as a house.
Let’s say you live in a traditional house. If you get a new assignment at work and have to move, you will need to find or build a house in the new town. That can be costly and time-consuming. But if you have a mobile home, you can take everything you need with you, wherever you need to go. Containers provide that mobility.
Containerization has numerous benefits. It enables developers to build an application that can be run on different platforms or in different locations. This makes it possible to
- Move workloads anywhere to suit their needs
- Dynamically scale the application, and
- To run many independent applications on a host at once.
In short, containers help agencies to make more efficient use of IT resources.
But there’s a catch: Validating the contents and security of containers can be difficult. This lack of visibility is a key concern for agencies looking to deploy containers at scale in production environments.
In fact, studies have shown that up to 99% of applications contain open source with upwards of 75% containing unpatched vulnerabilities. Additionally, Gartner predicts that 70% of the attacks on containerized applications will target known vulnerabilities.
The problem is that integrating security into the development process adds complexity that can slow productivity and delay delivery. It’s tempting to make up for lost time by rushing the build or test, but that just exposes an agency to increased risk of a security breach or production outage. And that still doesn’t account for containers that originate outside an agency’s sphere of control.
The question is: How can you establish a scalable and secure method for containerized application delivery?
Increasingly, organizations are taking two approaches:
- Container packaging is the process of bundling together all files, components, and information in an application executable file or package.
- Platform as a Service is a form of cloud computing where hardware and an application software platform is provided by another party. Primarily for developers and programmers, a PaaS allows the user to develop, run, and manage their own applications without having to build and maintain their own infrastructure or platform.
When bringing in external content to build your applications, you need to take a proactive approach to content management. For example, when reviewing container images prior to deployment, you need to ask:
- Are the container images signed and from trusted sources?
- Are there any unpatched vulnerabilities within the base image or the application?
- How quickly and how often will the container be updated?
- Are known problems identified, and how will they be tracked?
By adopting containers, the public sector has changed the way it deploys applications. Now it’s time to change the way the public sector secures them, with the right container scanning tools designed for open source.
This article is an excerpt from GovLoop Academy’s recent course, “Don’t Get Blindsided by Hidden Security Threats,” created in partnership with Red Hat and Synopsys. Access the full course here.
I love the “house” metaphor for an application. Comparisons make concepts like this easier to understand!