Container Security: Risks and Mitigation Strategies

DeWu's early services ran on ECS; now they have fully containerized infrastructure.

Containers bring benefits but also new security risks.

Container virtualization differs from full virtualization and bare‑metal hypervisors; containers share the host kernel and use cgroups and namespaces for resource isolation.

Image structure consists of bootfs and rootfs; Docker images are built layer by layer.

Example commands to pull, save, and inspect a Docker image:

docker pull neuvector/scanner:latest
docker save neuvector/scanner:latest | gzip > test.tar.gz
tar -zxvf test.tar.gz

Analysis of the image reveals four layers, each containing system binaries, libraries, configuration files, and finally the application binaries.

New security challenges include image poisoning, unsafe images, compliance violations, high‑risk vulnerabilities, and container escape.

Mitigation strategies:

Prefer official images and verify stars.

Perform regular image scanning for vulnerabilities, malware, secrets, and weak passwords.

Enforce compliance using CIS benchmarks for Docker and Kubernetes.

Deploy runtime security containers on each K8s node to perform baseline detection and intrusion detection.

Use resource limits and isolation via cgroups and namespaces.

During build time, focus on ensuring no high‑risk vulnerabilities, malware, compliance issues, secret leakage, or weak credentials in images.

During runtime, harden hosts, containers, and K8s components, and monitor for suspicious behavior using security engines.

Overall principle: “heavy detection, light control, fast response”.