The Doppler Quarterly Fall 2017 - Page 49

With the outside-the-container approach, you can create special integration test containers. These will contain only testing tools and test artifacts such as test scripts, test data, and test environment configuration. While these are containers themselves, they don’t become part of the container image going into production, and thus they don’t affect the image size or performance. However, they are not auto-configured and need to be set up based on the testing tasks at hand. The approach and tooling that you select for your container development need to be adapted to the objectives of the applications themselves. Keep in mind that you’re holistically testing services and microservices as well as containers. Container Security Enablement The basic idea of container security is that you first make sure you can trust the container; you reduce the attack surface and implement general manage- ment of vulnerabilities. The core way that you do this is to integrate security checks within the image and within your testing tools and processes, as previ- ously defined. Vulnerabilities are managed by tracking all images from time of creation or use, through the layers created, as well as ongoing modifications in production and operations. You have to monitor the images in public image repositories, pri- vate image repositories, and in flight through DevOps or other lifecycle processes. While there are many schools of thought as to how best to test for vulnerabili- ties within containers, what seems to be emerging as a best practice is to test images with external security testing tools. These tools can work down to the microservices level within the container images and walk through the layers as well. In essence, you must assume that the images have vulnerabilities, either at their base or in the derived layers. You can scan each layer and image for vul- nerabilities and fix those you find. This process is best described as systemic, and it’s required at each stage in the DevOps or lifecycle processes, including development, testing, staging, and operations. Keep in mind that compliance and governance should be checked at the same time that you do the security scans. This is really about set, customizable rules, versus security vulnerabilities that have common patterns with other con- tainer deployments. Container Ops Most providers of ops-related toolsets, including those for performance, secu- rity, and governance monitoring; for taking automated corrective action; and for handling failover and recovery, now support containers. Chances are that you can use your monitoring and ops tools of choice to operate containers in production. FALL 2017 | THE DOPPLER | 47