NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

Pentesting Containers: Overview & Security Best Practices

Containers are packages that provide operating system (OS) Level Virtualization. They deliver software or an application and help with penetration testing by allowing pentesters to deploy customized testing environments.

There are many container runtimes that can work alongside platforms such as Kubernetes to deliver an effective pentesting solution.

In this article, we’ll explore the different types of containers, the benefits of using containers for pentesting, and how to establish container security.

What Are the Different Types of Containers?

Below are a variety of containers that can be used for pentesting purposes. Each includes unique features that set them apart and make them more suitable for certain projects.

Docker

Docker has established itself as one of the most popular and well-regarded container platforms. Docker containers allows Linux containers to be easily created, deployed, and managed in one place. Almost all IT and cloud organizations have adopted Docker in some capacity, with global superpowers such as Amazon and Microsoft even embracing the platform.

The key benefit of Docker is that it combines a range of tools and components to provide a comprehensive solution that creates a full container management system. This is a common solution for cybersecurity professionals looking to use a container.

rkt

One of Docker’s main rivals, rkt (Rocket) provides users with a powerful toolkit, and is strongly backed by an active community. Rkt containers have attempted to address a number of security vulnerabilities that were a significant problem in the early days of Docker. As a secure and innovative alternative, rk thas supported many open-source projects.

Rkt does not use a central daemon, offering more control to the user in terms of managing individual containers. Although rkt does not offer a complete end-to-end solution like Docker, it is frequently used to replace different components within the Docker platform due to its specific advantages.

Podman

Podman is another open-source container engine like rkt, as it does not use a central daemon, while still providing similar functionality to Docker. A drawback of Docker is if the central daemon goes offline or experiences issues, the user will no longer have control of containers. With Podman, containers are fully-isolated and the user can manage each of them independently. 

Another key feature of Podman is that non-root access is the default setting, meaning the platform is more secure than many other alternatives.

Containerd

Containerd is technically a daemon that is supported by Linux and Windows, working as an interface between container runtimes and container engines. Its built-in abstracted layer makes managing container life cycles much easier, and includes features such as container execution, image transfers, and snapshots, in addition to a range of storage options. 

The platform is an open-source project that has been utilized as a core component of Docker.

LXC

Linux Containers created another open-source project, LXC, which constructs isolated application environments with functionalities similar to virtual machines (VMs) but without the need for their own kernel to operate efficiently.

Utilizing the Unix process model, LXC does not use a central daemon and uses a central program to manage containers individually. The platform differs from Docker in many ways, however, one key difference is that LXC can run multiple processes in a container, whereas Docker runs a single process in each container which is preferable to some developers. 

What Are the Types of Vulnerabilities That Containers Can Have?

Container vulnerabilities can be broken down into 4 key groups - application, configuration, network, and image OS. 

1. Application Vulnerabilities - In any application deployment, numerous applications may be vulnerable to exploitation if not properly monitored and secured. These app vulnerabilities can relate to the framework used to build the application, the libraries that have been integrated, improper configuration of settings, and more. It’s important to review application security best practices.

A common issue in programs like Docker occurs when a new service, such as React, is introduced; this often brings along a large number of dependencies that may harbor their own vulnerabilities. Therefore, any new services and their dependencies must be cross-checked with the National Vulnerability Database.

2. Configuration Vulnerabilities - Misconfiguration of a container or incorrect settings on the host can lead to more weaknesses that need to be addressed. Many of these vulnerabilities can be avoided by following best practices such as not running a container as a root, and avoiding any escalation of privileges. This is the default setting for container engines like Podman, as mentioned previously.

3. Network Vulnerabilities - Closely related to configuration vulnerabilities, network vulnerabilities can take the form of a misconfiguration of a container port resulting in it being exposed on the internet (SSH or Telnet, for example). This could result in unauthorized access to an organization’s network.

Another example is a container being misconfigured so that data is transmitted via HTTPS, meaning a cybercriminal can exploit a system using a network scanner. This is one of the strategies that cybercriminals can use to steal data remotely.

4. Image OS Vulnerabilities - Containers on a network require an image operation system (OS) to work effectively (E.G. Linux). Each OS has its own vulnerabilities that could lead to Denial of Service (DOS) attacks and other such exploits.

This is why patching is very important, keeping operating systems and all the components up to date. 

What Are the Benefits of Using Containers For Pentesting?

Using a container platform such as Docker for penetration testing has a number of advantages that can result in quicker, more efficient hacking. 

Benefits include:

  1. Containers provide a ‘build-once-run-anywhere approach’ to run applications instantaneously.

  2. You can build and customize containers to include only the necessary tools, streamlining their functionality and reducing potential vulnerabilities. This approach enables the creation of a self-contained environment tailored to each specific project.

  3. Containers are always opened in their same state, allowing hackers to pick up where they left off on any device.

  4. These environments can be easily backed up and shared among team members or collaborators.

  5. Containers can be quickly expunged if an issue occurs, with a new one quickly deployed in its place.

  6. Multiple containers can be launched simultaneously if required without putting much strain on resources. Containers do not create discs or virtualize hardware, meaning they are significantly less resource-heavy than virtual machines. 

Conclusion

If used correctly, containers can be of great benefit to a penetration tester and help improve a company’s security posture. Containers can be built to provide a secure testing environment for new projects, containing just the required tools to create a streamlined approach. Furthermore, containers use minimal resources and are very secure, allowing testers to save the current state and open it back up at the same point. 

The most popular container platform is Docker, as it provides an overall Linux solution that encompasses the best open-source components and tools. 

FAQs

What is the Difference between Containers and Virtual Machines?

Simply, a container is a package of software code that contains the code of an application and its dependencies. Meanwhile, a virtual machine is a direct copy of a physical machine.  Containerization makes applications more portable than a VM so the code can run on any device in the same state. 

What is the Main Difference between a Container and a Hypervisor?

A hypervisor is computer software, firmware, or hardware that creates and runs a virtual machine. A container engine differs in that the operating system is abstracted away to run an application(s), whereas a hypervisor abstracts away hardware to run the virtual machine’s operating system.

Back to Blog
About Jacob Fox
Jacob Fox is a search engine optimization manager at Cobalt. He graduated from the University of Kansas with a Bachelor of Arts in Political Science. With a passion for technology, he believes in Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. He focuses on increasing Cobalt's marketing presence by helping craft positive user experiences on the Cobalt website. More By Jacob Fox
JSON Web Tokens
JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. With the rise of JWT, Core Pentester Saad Nasir gives an introduction to the new security token.
Blog
Dec 5, 2022