What are virtual machines?
A virtual machine (VM) is the virtualization/emulation of a computer system in software, with no direct correspondence to any real hardware. Virtual machines run effectively as executing code in a "many to one" mapping on top of physical computer hardware. The physical, "real-world" hardware running the VM is generally referred to as the 'host', and it may run many virtual machines within it. The virtual machines emulated on the host are generally referred to as the 'guests'. The emulator software on the physical machine host that manages the multiple guests is typically referred to as a hypervisor.
What are containers?
A container is a newer paradigm than traditional virtual machines. It is really two different things since, like a normal Linux program, containers really have two states – rest and running:
- When at rest (not running), a container is a file (or set of files) that is saved on disk. This is referred to as a Container Image.
- When you type the command to start a container, the Container Engine unpacks the required files and meta-data and executes them - starting a container is very similar to starting a normal Linux process:
The difference between virtual machines and containers is that a container is much lighter in that it does not contain a full guest OS - it contains only the application to be run, plus a minimal set of binary/library files needed to support the application. It shares more conceptually with the legacy chroot mechanism than traditional VMs. The degree to which a full OS is present depends on whether the image is distroless ("[Operationg system] distrubition-less") images, base images that don’t contain package managers, shells, or any other programs you would expect to find in a standard Linux distribution. Distroless images allow you to package only your application and its dependencies in a lightweight container image and reduce its attack surface.
Can containers be scanned by AppCheck?
Yes. AppCheck performs remote, network-based scanning. The degree to which such scans are effective depends on whether the container is distroless. Tpyically, in addition to the application itself, containers also include a base image such as Alpine Linux, which can be prone to vulnerabilities just as a virtual machine can - especially when the component versions are outdated with known vulnerabilities. Such vulnerabilities can lead to privilege escalation and/or container escape. It is recommended to perform regular security audits within the containers to identify such security issues. For distroless images, these kinds of vulnerabilities cannot be assessed via remote DAST scanning such as AppCheck, but other vulnerabilities can be checked for as below
How can AppCheck help in scanning containers?
AppCheck NG performs both infrastructure and web application scanning.
For web application scanning, AppCheck NG does not differentiate between containerised and non-containerised applications, so is able to perform web application scans of running containerised applications (Application Containers).
For infrastructure scanning, AppCheck NG can perform scanning of containerised applications if they present a network footprint such as open service ports - whereas distroless containers that do not offer a full operating system footprint cannot be meaningfully scanned from an infrastructure scan perspective across the network - however even in these circumstances, AppCheck can scan the host operating system on which the container platform is running (ie the Container Host).
Is AppCheck a complete solution for container security?
No. We would always recommend that AppCheck be used as a key part of a mature vulnerability management programme within an organisation, in which multiple tools are used to analyse components, applications and infrastructure for vulnerabilities from different perspectives - no one tool can be a universal panacea.
Additional practices for vulnerability detection in containers may include static analysis of container image files (SAST) within the container registry; manual container security audits to review if the setup of the host and container ecosystem are in line with best practices, checking that the container (eg Docker) file does not contain misconfigurations (e.g. ensuring that containers are run on a read-only file system), and implementing a solution to monitor container traffic and container logs.