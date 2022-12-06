Containerization provides a method for developers to distribute applications as a portable package.

With containerization, developers and engineers can distribute an application as a package that contains the required operating system components for the application. This allows engineers and developers to create applications without the concern about whether an application will successfully deploy to a custom operating system or platform. Because containers usually only include the required components and files of their contained application, they can have a significantly reduced attack surface compared to other solutions such as virtual machines.

Virtual machines were originally created as a solution to allow a single computer or server to execute software in isolation while preserving the integrity of the supporting host. This was an evolution upon deploying software applications to dedicated hosts and hardware intended to provide better portability and security. Virtual machines achieve this goal but also include software and tools that are not used by a deployed application but are used by attackers. Extra functionality and utilities within the environment that executes an application provide attackers with functionality they can leverage to further attack organizations.

While containers are intended to not include extraneous tools and functionality like virtual machines do, containers are not without risk or security concern. Containers do not provide perfect isolation from the host that they execute upon like virtual machines are intended to do. There is shared software and functionality between containers and their executing hosts that increases the risk to the host, such as sharing the same kernel, which normally is not a concern with virtual machines. Sometimes this shared functionality can be used to escape a container and allow an attacker to access other containers and sensitive information within the containers’ host.

Within the container, like virtual machines, secrets and sensitive information is used by applications and can pose a risk to other systems if discovered by attackers. Applications that rely on database credentials, for example, might have those credentials stored in files included within the container image. If the container image were published, it would pose a serious risk to the database and the data it holds. Even though containers do not contain full operating systems, the portions of an operating system they do contain can still become outdated and vulnerable to attacks. The libraries that applications use in their software supply chains can also be vulnerable, especially if they are outdated.