Software Integrity


Analysts find that apps run in containers more secure than not

Two analyst firms have concluded that running apps in containers is more secure than alternatives.

Gartner analyst Joerg Fritsch stated in a new research note “How to Secure Docker Containers in Operation”. In a follow-up blog post, he said:

“… despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.”.

In a paper “Understanding and Hardening Linux Containers,” NCC Group took a different analysis approach and contrasted the security features and defaults of three container platforms. It found that applications are more likely to be secure when they are run in some form of Linux container than without. That’s in part because containers lack a full operating system, only the parts necessary to run the given app.

“Containers offer many overall advantages. From a security perspective, they create a method to reduce attack surfaces and isolate applications to only the required components, interfaces, libraries and network connections,” wrote Aaron Grattafiori, NCC Group. “In this modern age, I believe that there is little excuse for not running a Linux application in some form of a Linux container, MAC or lightweight sandbox.”