The Wercker team were an official partner at GCP Next earlier this month and a common question that came up was “What exactly do containers mean for software security?”
Well, microservice containers encourage developers to distribute their applications into portable components that can be removed and replaced without necessarily affecting the overall application.
This compartmentalisation represents a significant step forward for security, for too long finding and neutralising bugs in complex applications (such as those found in monolithic stacks) has had the potential to disrupt entire workflows because small changes to one section of code can have enormous consequences in other areas. By their very nature microservice containers are easily replaceable, due to their being self-contained, so if a container becomes damaged it can easily be removed from the application, fixed quickly and relatively painlessly. In essence, containers allow for immutable deployments.
There is a ‘but’ though; containers sourced from open repositories on sites such as GitHub or the Docker Hub can potentially introduce bugs or malware to your application. If you use containers sourced from the community then we encourage you to practice, um, 'safe container’ in your development lifecycle with these three easy steps:
- Do not save passwords in your repository for all to see. We know that having access to passwords is important during builds (for instance setting database credentials or adding an SSH key to fetch dependencies from a private Github repo), so to make things easy we’ve introduced Wercker environment variables.
- Make sure that you trust any base Docker images and external dependencies
- Scan your containers for malware using applications like Clair
Ultimately, a container-centric approach to software development enables developers to update vulnerabilities faster, resulting in a better and safer world for everyone :)
There’s a lot more to security, and we’ll be sure to elaborate in future posts. In the meantime feel free to ping us any questions you may have.
Like Wercker? Why not join our early access club. We’ll invite you to try our beta products and treat you nice.
Earn some stickers!
As usual, if you want to stay in the loop follow us on twitter @wercker or hop on our public slack channel. If it’s your first time using wercker, be sure to tweet out your #greenbuilds and we’ll send you some swag!