Nudging towards a Secure Containerised Environment
Containers provide an easy and efficient way to package and run applications. At upday, more than 60% of our workloads are containerized and orchestrated with Kubernetes.
We follow most of the best practices associated with building and running containers in production. To name a few, we build all the containers with minimal packages, run containers as non-root, and enforce runtime policies within orchestrator.
Incorporating static container scanning was something that was planned for our infrastructure and security roadmap this year. Why? Static scanning can reveal the vulnerabilities before the container gets launched. But scanning alone doesn’t suffice. Unsatisfactory results should be acted upon!
So, how to make people pay attention to scan results?
This is where nudging helps!
Nudge is a concept in behavioural economics, political theory and behavioural sciences which proposes positive reinforcement and indirect suggestions as ways to influence the behaviour and decision making of groups or individuals.
In simple terms, whenever there is a circumstance at which someone has to make a decision, a nudge helps to push them in the desired direction without forbidding them of the other options or changing their economic incentives.
Nudges are not mandates. To count as a nudge, the intervention must be easy and inexpensive to avoid.
Nudges can also work well in Information security areas. One of the most common examples is the use of a password strength meter commonly found in the sign-up forms of most websites today. The call to do secure behaviour is happening when entering the password and serves as a gentle nudge in the direction of good security practice.
Recently, Amazon Web Services (AWS) announced ECR Container Scanning based on the open-source Clair project. This feature solves our requirement to perform static vulnerability scanning of containers. The AWS engineers have written a nice blog post on its implementation along with steps to integrate it.
In this post, we will talk about how we nudge ourselves to act on the results of the ECR Container Scan before deploying into the production environment.
At upday, we use Jenkins as our CI/CD tool. All our build and deployments follow the pipeline steps transcribed in our shared declarative pipeline libraries.
At a high level, the shared pipeline library implements the following steps –
As such, we will be introducing a nudge before the deployment to the production environment.
As the pipeline has all the details regarding the container, we initiate a manual image scan after step 1., after the container image is pushed to the container registry.
After step 2 is successful, the pipeline display’s summary of the scan results to make the approver aware of the same. Clicking the link printed as a part of the scan result shows the approver, the results in detail, and only after an approval, the deployment is allowed to proceed.
This simple display and approval step is a nudge. It is not a mandate. It is a gentle reminder that valid security concern needs to be addressed.
So after this was introduced, people became aware and started to optimize the container build process by pulling the latest images very frequently, updating the system packages, building with --no-cache argument.
With all these optimizations getting in place, the vulnerability scan results started to improve and finally they now show None.
The pipeline is designed to nudge, only when vulnerabilities are found. This way, it doesn’t end up as another approval step that gets clicked blindly to proceed with deployment.
To conclude, Nudges can be effectively used to lead towards a better outcome in Security.
At upday, we believe that security goes hand-in-hand with the Engineering our Products. As an Engineer, if you align with such a thought process, you are welcome to apply to us.
Further reading
- Nudges, Devops and getting people to do the Right Thing (Medium)
- Native Container Image Scanning in Amazon ECR (AWS Blog)
- Nudge: Improving Decisions About Health, Wealth, and Happiness (Book)
- Nudging Towards a Secure World (InfoSecurity Magazine)
