Understanding NIST’s latest updates on container image security

Container security imperative: Risks, challenges, and NIST guidance

‍

Organizations rely on containers to deploy applications because they offer a number of benefits, such as portability, scalability, efficiency, and resource utilization. Gartner predicts that by 2027, more than 90% of companies will be running containerized applications.

‍

However, organizations need to be aware that running containers comes with unique security challenges: misconfigurations in container clusters, runtime threats, lack of visibility, lack of governance, and compliance risk.

‍

While more organizations are running applications in containers, many are still in the early stages of their journey, and may not understand the risks or know how to build a security platform for containers, applications, and the software supply chain.

‍

The National Institute of Standards and Technology (NIST) offers a variety of frameworks to provide overall guidance to improve cybersecurity hygiene, as well as special publications with guidelines covering specific technologies. These frameworks and publications are regularly reviewed and updated with input from security professionals and the public to ensure they are addressing the current threat landscape.

‍

NIST SP 800-161 Revision 1: A closer look

‍

NIST Special Publication 800-161 Revision 1, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” which set the foundation for comprehensive supply chain security practices, was revised in 2022 to meet the new security standards put forward by the 2021 Executive Order (EO) 14028 to improve the nation’s cybersecurity posture.

‍

The revised NIST SP integrates cybersecurity supply chain risk management (C-SCRM) and risk management, as well as provide guidance on the development of C-SCRM strategy implementation plans and establish C-SCRM policies. The guidelines address potential threats to information and communication technologies, with emphasis on areas like poor configuration management, vulnerabilities in the code, and authorization and authentication practices.

‍

For example, one area of the revised guidelines is around vulnerability monitoring and scanning. Monitoring covers developers, suppliers, and all service providers as part of the organization’s supply chain, and requires the use of data collection tools for continuous visibility and awareness about possible vulnerabilities.

‍

NIST SP 800-161r1 also recognizes open-source software as a critical component of the supply chain, emphasizing the importance of transparency, code review, and community engagement in managing associated risks. Organizations are encouraged to adopt a risk-based approach, prioritizing assessments and mitigation efforts for open-source components based on their criticality and potential impact. By addressing open-source software within a broader C-SCRM framework, the publication provides guidance for mitigating vulnerabilities and ensuring the security and integrity of software systems.

‍

Integrating NIST guidelines into container security strategies

‍

The NIST guidelines around container security strategies — 800-190 and 8176 — were released in 2017 and there are no plans at this time for an update. However, the strategies laid out in these guidelines, one for overall container security and the other for containers in a Linux environment, can be implemented with the guidelines of other NIST frameworks.

‍

For example, 800-190 emphasizes deploying container-specific tools for images to prevent compromise, but the vulnerability management for these tools would follow the guidelines presented in 800-161 Rev. 1. On the other hand, NIST Special Publication 800-53 Revision 5, which covers security for information systems, goes into even more detail about vulnerabilities and outlines for improving configuration management.

‍

Organizations have found success in applying NIST standards for better container and image security. For example, one security company uses the NIST standard “to assess container security and identify control weaknesses.” With the guidelines, the company is better able to review the security architecture, identify vulnerabilities, and develop the best container security solution for its customer.

‍

Overcoming challenges and anticipating future developments

‍

Having the guidelines to implement stronger container security hygiene is the first step. Unfortunately, that’s often easier said than done. Security and IT teams may find that they lack the right technology and tools to execute the NIST framework.

‍

Furthermore, a recent report uncovered a disruptive disconnect between how CISOs and developers think about container security. Budgets are another issue and may limit the organization’s ability to purchase the necessary systems or hire a skilled workforce. To overcome these challenges, organizations can do the following:

‍

• Conduct an assessment of the organization’s cybersecurity maturity and systems, and build a standard policy around these needs

‍

• Put together a plan listing priorities and desired outcomes

‍

• Get the support of C-suite and board of directors

‍

• Awareness training across the organization

‍

There are immediate plans to update the container security guidelines. Another NIST Special Publication — 800-53 Revision 5 — is only a few years old and is technology neutral, but it includes a lot of software supply chain controls. And as NIST begins to tackle AI issues, it is likely containers and images issues will be included.

‍

Enhancing security with NIST’s expertise

‍

As the threat landscape becomes more complex, threat actors are looking for any way to get into your applications. Increasingly, they are using vulnerabilities found across the software supply chain and taking advantage of the lack of visibility into containers as a gateway. By implementing the NIST frameworks and guidelines, your organization is better prepared to navigate the cybersecurity landscape more effectively.

‍

‍NIST resources are free and readily available online for anyone who wants to improve their overall cybersecurity standards. Want to ensure your container images are secure and compliant? Chainguard Images eliminate the vulnerabilities that repeatedly impact your compliance certifications. Reach out to learn how we can help you achieve your compliance and security goals.