Contact Us

Full-Stack Container Security - A Unified Approach

DevOps automation

Earlier today, Bashyam Amant, our Sr Director of PLM, and Vaidehi Rao, our Director of Engineering, hosted a webinar entitled ‘Full-Stack Container Security,’ borrowing for the container space a (sometimes confusing) term familiar to many of you.  One of the best definitions, and a good jumping-off point, is at codeup:

‘A full-stack developer is simply someone who is familiar with all layers in computer software development. These developers aren’t experts at everything; they simply have a functional knowledge and ability to take a concept and turn it into a finished product. Such gurus make building software much easier as they understand how everything works from top to bottom and can anticipate problems accordingly. In our opinion, this is the most realistic definition of a full-stack developer.’  For those looking for even more history on the topic, the turtles end at FB.

Extending this paradigm to containers and Docker, in our view, and in order to have a complete awareness as to how your container deployments impact your overall security posture, you must have tools that look at each ‘layer’ of the ‘stack’ while at the same time offering a unified vs a disjointed view. 

At Cavirin, we take this full-stack security approach, starting with the cloud service provider (though we support on-premise deployments), then the host OS or hypervisor (if deployed), next the container itself, both at-rest and in production, the images that make up the container, and finally, orchestration.  APIs integrate with your choice of CI/CD toolset.  We apply our protection, monitoring, and response capabilities to these different domains.  How does this look in actual implementation?

Mixing it up a bit, we take the following steps:

  1. Harden your images via the CIS Docker Benchmark as well as patches and vulnerabilities. Our solution supports both public and private registries.
  2. Secure your container hosts and VMs via the CIS Benchmark as well as any OS-specific guidelines, frameworks, and best-practices such as NIST and PCI.
  3. Monitor your container runtime, software that executes containers and manages container images on a node, a new Cavirin capability. Remembering that containers enable immutable infrastructure, there should be no real changes to any deployed container except in rare instances. Any new users provisioned, privileges escalated, or new services activated will result in IT notification and action.
  4. Harden your orchestration layer via a combination of the CIS Kubernetes Benchmark and monitoring.
  5. In parallel with the above, harden your CSP environment via active monitoring (i.e, AWS CloudTrail), application of relevant benchmarks, and network policy enforcement.
  6. Also in parallel with the above, add security as a promotion criteria to your CI/CD pipeline. We explain this in greater detail here -

 Automated Full Stack Security for Your Containers.

Our approach to integrate within the CI/CD pipeline is both intuitive and effective.  The diagram below outlines these steps, and if you’d like to learn more, just drop us a line!

Cavirin secures the container stack

To learn more about Cavirin’s approach, view the on-demand webinar –





© 2019 Cavirin Systems, Inc. All rights reserved.