With the outside-the-container approach, you can create special integration
test containers. These will contain only testing tools and test artifacts such as
test scripts, test data, and test environment configuration. While these are
containers themselves, they don’t become part of the container image going
into production, and thus they don’t affect the image size or performance.
However, they are not auto-configured and need to be set up based on the
testing tasks at hand.
The approach and tooling that you select for your container development need
to be adapted to the objectives of the applications themselves. Keep in mind
that you’re holistically testing services and microservices as well as
containers.
Container Security Enablement
The basic idea of container security is that you first make sure you can trust
the container; you reduce the attack surface and implement general manage-
ment of vulnerabilities. The core way that you do this is to integrate security
checks within the image and within your testing tools and processes, as previ-
ously defined.
Vulnerabilities are managed by tracking all images from time of creation or use,
through the layers created, as well as ongoing modifications in production and
operations. You have to monitor the images in public image repositories, pri-
vate image repositories, and in flight through DevOps or other lifecycle processes.
While there are many schools of thought as to how best to test for vulnerabili-
ties within containers, what seems to be emerging as a best practice is to test
images with external security testing tools. These tools can work down to the
microservices level within the container images and walk through the layers as well.
In essence, you must assume that the images have vulnerabilities, either at
their base or in the derived layers. You can scan each layer and image for vul-
nerabilities and fix those you find. This process is best described as systemic,
and it’s required at each stage in the DevOps or lifecycle processes, including
development, testing, staging, and operations.
Keep in mind that compliance and governance should be checked at the same
time that you do the security scans. This is really about set, customizable rules,
versus security vulnerabilities that have common patterns with other con-
tainer deployments.
Container Ops
Most providers of ops-related toolsets, including those for performance, secu-
rity, and governance monitoring; for taking automated corrective action; and
for handling failover and recovery, now support containers. Chances are that
you can use your monitoring and ops tools of choice to operate containers in
production.
FALL 2017 | THE DOPPLER | 47