Although they have been around for quite some time, the use of containers has been growing mostly in the last years. Containers (such as those in Docker) are packages of application code and dependencies that, by virtualizing operating systems, allow applications to run quickly and reliably in any environment. Static files with sets of instructions for their creation are container images. These images can be built upon the work of other developers layer by layer. In this process, vulnerabilities may appear. If containers are created based on vulnerable images, they will introduce such security issues to the execution environments.
Vulnerabilities in a container image can arise from insecure libraries or other dependencies that are imported into it. A container image may also contain malicious code that was inserted, for example, during supply chain attacks. Furthermore, vulnerabilities can exist due to the container's interaction with the host operating system and other containers, networking and storage configurations and issues within runtime environments (e.g., Kubernetes).
To help prevent your organization's data and operations from being affected by any vulnerability in your containers, Fluid Attacks performs container scanning and manual assessment. We use methods such as SAST and SCA to analyze the code and dependencies in your containers. After you prepare them for deployment, we conduct the DAST method manually for pre-production assessments. At Fluid Attacks, we use automatic tools to find known vulnerabilities quickly. The detection of zero-day and more severe vulnerabilities is reliant on the work of our certified ethical hackers. Whenever vulnerabilities are detected and reported, you and your team can learn about them and manage their remediation promptly from our platform.