Must-Have Capabilities When Evaluating Container Security Solutions

More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.

Research highlights that security remains the primary concern around enterprise container strategy. In a recent survey of IT and security practitioners and decision makers, 35% of respondents identified a lack of adequate investment in container security as their biggest concern relating to their organization’s container strategy, with another 15% lamenting that their container strategy doesn’t take security threats seriously. In addition, nearly half of the respondents (44%) indicated that securing the runtime phase of the container life cycle is their greatest concern.

Deployments of containerized applications in production environments continue to increase. According to Gartner, by 2020 over half of all global organizations will be running containerized apps in production, up from 20% in 2017. Increased adoption means organizations will require a comprehensive container security strategy that addresses their concerns across the full container life cycle and provides security for their Kubernetes orchestrators as well.

To help guide organizations, StackRox has compiled a comprehensive Container Security Evaluation Guide (download a free copy). The document, sourced from lessons learned across hundreds of companies, identifies the critical security capabilities and controls needed to protect containerized applications.

Container and Kubernetes Security: An Evaluation Guide

Container and Kubernetes Security: An Evaluation Guide

Download our complete guide that identifies the most critical security controls required for your containers and Kubernetes orchestrator.



The build phase centers on what ends up inside of the container images developers create. In the build phase, security efforts are typically focused on reducing business risk later in the container life cycle by applying best practices and identifying and eliminating known vulnerabilities early.


Containerized applications are configured in the deploy phase. In this phase, context about images can be combined with the rich variety of configuration options available for orchestrated services. Security efforts in this phase often center around compliance with operational best practices, least-privilege principles, and identifying misconfigurations to reduce the likelihood and impact of potential compromises.


The runtime phase is when containers go into production with live data, live users, and exposure to networks, internal or the public internet. The primary purpose of security during the runtime phase is protecting both running applications and the container infrastructure by finding and stopping malicious actors in real time.

Protecting the infrastructure

As critical as protecting containers across their life cycle is the need to ensure the underlying infrastructure is properly configured. Containers can help organizations implement finer-grained workload-level security, but they also introduce new infrastructure components and unfamiliar attack surfaces. The right container security strategy and solution must help secure the cluster infrastructure and orchestrator as well as the containerized applications they run.

Protecting this infrastructure effectively includes following community best practices, such as the CIS Kubernetes Benchmark. Your container security vendor should be able to assess compliance with those standards and bring additional unique security insights and recommendations.

Integrating with DevOps processes

Finally, the right solution must integrate seamlessly into an organization’s architectural plans, tools, and business workflows. Otherwise, the solution may negatively impact business operations, lock the organization into specific technologies, or increase the workload on already busy teams.

The container security solution must seamlessly integrate into the organization’s DevOps practices and tools, including integration with CI/CD systems, deployment tools, container registries, and other security products. Ideally, the container security solution will provide a tight feedback loop to shift left, continuously providing guidance to developers and operations teams. This feedback loop continually improves the overall container security posture.

Get the guide

The move to containers, the importance of orchestrators, and the need to fit security into the DevOps workflow means container security must be done right. Download this Container Security Evaluation Guide today to get your organization on the right footing.