Containers have revolutionized software delivery, bringing unmatched speed and agility to the process of building, deploying, and scaling applications. The distributed nature of containers, along with their reproducibility, portability, and scalability, makes them indispensable building blocks in development. However, the same ephemeral nature, paired with high potential for container sprawl and risks inherent in software supply chains, introduces unique security challenges whose mitigation must form part of effective and secure container management.

Routine and controlled code signing is a fundamental aspect of container security. Central to establishing and maintaining trust are code signing certificates. Because they help validate the integrity of container images through digital signatures generated with their associated private keys, code signing certificates act as guarantors that containers or any of their components have not been tampered with and can be trusted to execute according to the desired state.

Implementing best practices for code signing in container security helps DevOps and security teams strengthen the overall security of the development pipeline. While PKI management may be complex, integrating it into containerized environments doesn’t have to come at a cost to innovation and agility.

Understanding container security fundamentals

Virtualization technology function isn’t unique to containers; virtual machines, or VMs, serve similar purposes, with one important distinction. VMs provide complete replication of a machine, including its hardware layers, whereas containers virtualize only the software components required for the applications they power. As such, in cybersecurity terms, the container model may potentially be less secure than a virtual machine security model, since the latter provides complete isolation of the host operating system from the virtual machine running on a separate OS. Containers, being only a software layer, run on the same shared kernel as the host.

The attack surfaces of containers are larger than those of VMs of comparable component complexity. Simply put, the threats can potentially “jump” into other components of the system more easily in case of a security breach. These differences may be crucial in case of malware infecting containers as opposed to VM components, but they can be offset by careful configuration, robust workload isolation, and proactive monitoring for vulnerabilities.

Some of the most common security gaps and risks associated with container operations include:

  • Container image tampering, or any unauthorized modifications to container images that may occur at any point in the development lifecycle and compromise container integrity.
  • Unauthorized privilege escalations that may be vertical, granting a threat actor the level of access higher than they could normally get, or horizontal, granting access to a different component or container with the same level of privilege.
  • Insecure registries may introduce tampered images or images with malware into the container environment.
  • Unencrypted persistent storage within containers is especially vulnerable to tampering.

Any of the above affecting a container may severely undermine container trust if not addressed. Identity and integrity are the cornerstones of container trust, as both need to be ascertained as authentic and unaltered for containers to run safely. Code signing certificates assist in verifying both the integrity of a container and the identity of its publisher.

The role of certificates in containers

Code signing certificates act as machine identities for workloads and services. They work by binding the publisher’s identity to a public key and enabling the validation of digital signatures with the corresponding private key. Once in place, code signing certificates can prove that the container image was produced by a trusted entity and hasn’t been altered since being signed. Code signing certificates are thus useful for software artifact integrity verifications during development and release, ensuring the untampered state of container components.

By contrast, TLS certificates are most often employed during runtime to foster service-to-service communication trust. They continuously verify workload identities, proving that these identities are who they claim to be, and provide mutual authentication between services. Dynamic container environments automate the issuance and renewal of both code signing and TLS certificates: the former assures the integrity of containers before they run, while the latter confirms the identity of workloads after they start running.

Why code signing matters for container images

Code signing is critically important for container images, especially before deployment, as it works to authenticate and ascertain that they haven’t been tampered with, and are thus safe to run in production (with other runtime security measures in place). Because clusters are usually configured to freely communicate, tampered or malicious container images can rapidly propagate across clusters if undetected. Detecting containers with incorrect or missing signatures can make all the difference in limiting the malware spread before it significantly damages the environment. For example, in Kubernetes, code signing certificates are used together with admission control tools that help ensure that only signed and verified images are pulled into the environment.

Other best practices for containerized environment security, where code signing is concerned, include the following:

  • Embedding certificate automation into CI/CD pipelines, including certificate issuance and rotation, to speed up deployment and iteration without sacrificing security and robust verification checks.
  • Leveraging HSM-backed or cloud-native signing services for improved key protection that’s less likely to be compromised or stolen due to improperly secured private keys.
  • Adopting tools and standards like Sigstore or Notary v2 for container signing to lower the likelihood of container tampering “in transit” (man-in-the-middle attacks), especially in enterprise environments that routinely sign thousands of new container images daily.
  • Monitoring for certificate health to prevent outages in orchestrated services due to certificate expiry or revocation. This is best accomplished by certificate automation and managed PKI solutions.

Building agility without compromising security

Running containerized environments provides an organization’s IT department with many advantages discussed above, such as fast iteration, ease of updates, frictionless deployment, and relative light weight of containers on the enterprise servers. Ideally, the security of containers must remain top of mind for both DevOps and IT teams. In practice, code signing is a security building block whose implementation, if too heavy-handed, may introduce friction and increase the possibility of workarounds and circumventions that make development processes easier but more vulnerable to exploits. To balance security procedures with ease of execution, development workflows must align with DevOps workflows.

Integrating security checks directly into developer toolchains also serves to build up the agility of production while strengthening its security. Code signing, vulnerability scanning, and container state analysis all serve to detect issues at the earliest stage of the development lifecycle, preventing costly post-deployment fixes.

Code signing certificates form an important part of PKI and need to be considered in the context of post-quantum readiness as well, together with other cryptographic components. As new algorithms and encryptions emerge with post-quantum cryptography looming on the horizon, following the principles of cryptoagility will equip DevOps teams with the tools to upgrade the PKI infrastructure and retire old certificates without risking service outages.

Conclusion

Strengthening container security with robust code signing procedures that utilize code signing certificates is a critically important component of maintaining agile and healthy containerized environments that may regularly see thousands of new container images. When DevOps teams are given the means and the tools to adopt integrated PKI and incorporate code signing solutions, runtime security, and vulnerability checks into container management, secure innovation at scale stops being a mythical state and turns into a real possibility.