Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: An example method for a software container includes instantiating the following in a sandbox of a computing device: an operating system, a Berkeley Packet Filter (BPF) virtual machine within a kernel of the operating system, and a software container. The kernel monitors runtime behavior events of the software container, with the monitoring at least partially performed by the BPF virtual machine. Based on the monitoring, a respective risk score is assigned to each of the runtime behavior events that is potentially malicious, with each risk score indicating a likelihood that a corresponding behavior event is malicious. An overall risk score is assigned to the software container that indicates a likelihood that the software container is malicious based on the respective risk scores.

Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: An example method includes determining, based on a static scan, that a software container image or an intended execution environment of the software container image meets one or more first criteria required to exploit a software vulnerability. Based on the determining, runtime behavior of a software container instantiated from the software container image is monitored. The monitoring including determining whether the software container meets one or more second criteria required to exploit the software vulnerability, wherein the one or more first second criteria differs from the one or more second criteria. Based on the runtime monitoring, a risk score that indicates a magnitude of a risk the software vulnerability poses for the software container is determined, and a notification of the risk score is provided. A system for assessing software containers for vulnerabilities is also disclosed.

Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: An example method includes determining, based on a static scan, that a software container image or an intended execution environment of the software container image meets one or more first criteria required to exploit a software vulnerability. Based on the determining, runtime behavior of a software container instantiated from the software container image is monitored. The monitoring including determining whether the software container meets one or more second criteria required to exploit the software vulnerability, wherein the one or more first second criteria differs from the one or more second criteria. Based on the runtime monitoring, a risk score that indicates a magnitude of a risk the software vulnerability poses for the software container is determined, and a notification of the risk score is provided. A system for assessing software containers for vulnerabilities is also disclosed.

Abstract: An example method for a software container includes instantiating the following in a sandbox of a computing device: an operating system, a Berkeley Packet Filter (BPF) virtual machine within a kernel of the operating system, and a software container. The kernel monitors runtime behavior events of the software container, with the monitoring at least partially performed by the BPF virtual machine. Based on the monitoring, a respective risk score is assigned to each of the runtime behavior events that is potentially malicious, with each risk score indicating a likelihood that a corresponding behavior event is malicious. An overall risk score is assigned to the software container that indicates a likelihood that the software container is malicious based on the respective risk scores.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Abstract: An example computer-implemented method of preventing exploitation of software vulnerabilities includes determining that a software container is susceptible to a vulnerability, determining one or more soft spots required to exploit the vulnerability, and analyzing runtime behavior of the software container to determine if the software container uses the one or more soft spots. The method includes automatically applying a security policy that prevents the software container from using the one or more soft spots based on the analyzing indicating that the software container does not use the one or more soft spots at runtime.

Abstract: According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.