Containers and the OWASP Top 10

The Open Web Application Security Project (OWASP) periodically publishes a list of the top 10 web application security risks.

The OWASP Top 10 is a useful resource for making any internet-connected application more secure against the most common types of attack. The container-specific recommendation that comes up most to scan container images for known vulnerabilities in third-party dependencies. While it will fail to catch some things, specifically some exploitable flaws in your application source code will probably give you the biggest bang per buck of any preventative tool that you can introduce into a containerized deployment.


If your code has an injection flaw, an attacker can get it to execute commands masquerading as data. The container image scanning can reveal known injection vulnerabilities in dependencies. You should review and test your application source code, following the OWASP advice.

Broken Authentication

This category covers broken authentication and compromised credentials. At the application level, all the same, advice applies for containerized apps as for monoliths in traditional deployments, but there are some additional container-specific considerations:

Sensitive Data Exposure

Whether containerized or not, sensitive information like any personal, financial, or other sensitive data that your application has access to should always be encrypted at rest and in transit, using a strong cryptographic algorithm. Over time, as processing power increases, it becomes feasible to brute-force encryption, which means that older algorithms can start to be considered no longer safe to use.

Because the sensitive data is encrypted, your applications will need credentials to access it. Following the least privilege principle and principles of segregation of duties can limit credentials to only those containers that need access. Consider scanning container images for embedded keys, passwords, and other sensitive data.

XML External Entities

There is nothing container-specific about this category of vulnerable XML processors. Much as for injection vulnerabilities, you should follow the OWASP advice on analyzing your application source code for flaws and use a container image scanner to spot vulnerabilities in dependencies.

Broken Access Control

This category relates to the abuse of privileges that may be granted unnecessarily to users or components. There are some container-specific approaches to applying the least privilege to containers:

These approaches can limit the blast radius of an attack, but none of these controls relate to user privileges at the application level, so you should still apply all the same advice as you would in a traditional deployment.

Security Misconfiguration

Many attacks take merit of poorly configured systems. Some examples are insecure or incomplete configurations, open cloud storage, and verbose error messages containing sensitive information.

Some of the mitigations that are specific to containers and cloud-native deployments:

Cross-Site Scripting XSS

This acts at the application level, so there is nothing particular about running your app in containers that would affect this risk. You should use a container image scanner to identify vulnerable dependencies.

Insecure Deserialization

In this type of attack, a malicious user provides a crafted object that the application interprets to grant the user additional privileges or to change the application behavior in some way.

Again, this is generally not something that is affected by whether an application is running in containers or not, though there are some container-specific approaches to limiting the impact of this kind of attack:

Using Components with Known Vulnerabilities

Use an image scanner to determine known vulnerabilities in your container images. Also required a process or tooling in place to:

Insufficient Logging and Monitoring

It should be possible to dramatically reduce that with sufficient observation combined with alerting on unexpected behavior.

Most serious commercial container security tools integrate with enterprise security information and event management (SIEM) to provide container security insights and alerts through one centralized system. Even better than observing attacks and reporting on them after the event, these tools can protect not just reporting on unexpected behaviors but preventing them from happening based on runtime profiles.


Recent Posts

Follow Us

Web Application Firewall Solution