How the latest trend in app coding could be a hacker's dream
Every time you search for something on Google, hail an Uber or log into a bank account, your personal data likely flow behind the scenes through a series of separate, free-standing packages of software known as containers.
Although invisible to the user, this method has become the dominant way to code apps today. Programmers like it because it allows them to change one feature without breaking their colleagues' work, and it helps software run more efficiently, saving companies money.
But the process is also giving hackers lots of new ways to steal people's information. Instead of a user's data going directly to one place, they can jump between dozens of containers for a single action.
Hackers only need to gain access to one. Because of the way most containers are designed, they're black boxes on a network. Administrators may have no idea what's happening inside of them.
This threat went largely unnoticed for a while as containers proliferated throughout the software industry. In 2014, it caught the attention of Sameer Bhalotra, the former senior cybersecurity director for President Barack Obama and an ex-Google employee. Bhalotra created StackRox to address new techniques that exploit container technology.
"Enterprises are flying blind," said Bhalotra, speaking publicly about his startup for the first time. "They often have no idea if a container went down by a design-it was no longer needed as user activity decreased-or due to an IT configuration error or a human error or an attacker."
StackRox is backed by a Silicon Valley A-list of chief security officers, including Uber's Joe Sullivan, Facebook's Alex Stamos and SAP's Justin Somaini. StackRox is in the process of completing a new funding round, according to people familiar with the matter.
A quarter of all large companies now use containers, and corporate spending on the technology is projected to double over the next two years to $2 billion, according to 451 Research. Many companies rely on software from Docker, a startup valued by investors at $1 billion. Jay Lyman, an analyst at the research firm, said there's a "gold-rush mentality" to adopt the tool without a full appreciation of the risks. "Security is the No. 1 challenge," he said.
Docker and StackRox have become close partners, but Bhalotra wasn't the only one to notice an opportunity. Aqua Security Software, an Israeli firm that secures containers, has attracted funding from local cybersecurity billionaire Shlomo Kramer and Microsoft Ventures. San Francisco-based Twistlock has raised some $30 million from Dell Inc. and other investors.
Uber is a devotee of the container, as is Google, which has said every service it offers today runs on the technology. Google uses more than 2 billion containers a week. But these tech giants have highly sophisticated security operations to deal with potential threats. Sullivan, the Uber security chief, said the company created its own software to detect container attacks. "Our security engineering team must be able to blend off-the-shelf security products with a great deal of custom work," he said.
City National Bank first considered adopting containers last year, but none of its existing security systems could track them. "It's hard to know if a new container that shows up is really supposed to be there," said Gene Yoo, head of information security at City National. Then the Los Angeles bank found StackRox and Docker. It's now moving "aggressively" to containers for its website and payment systems, which is reducing costs. Docker said its technology addresses key security threats that faced apps using earlier approaches without containers.
One feature of containers that hackers are actively exploiting is that they're ephemeral, Bhalotra said. In attacks his company has studied, containers use a kind of suicide switch that controls when they are shut down, and hackers who get inside often install malicious software to flip those switches. The code allows them to erase all evidence showing they were there. "Enterprises with advanced IT infrastructures are moving to containers, but they aren't sure how to address security," Stamos, the Facebook security chief and StackRox backer, wrote in an email.
Hackers are eager to take advantage, as StackRox found this spring when it began monitoring a major financial services firm. (Bhalotra asked Bloomberg not to identify certain details about the project to protect the company's work.) StackRox said it detected more than 500 threats aimed at the finance firm's container software during a single month.