Every time you search for something on Google, hail an Uber or log into a bank account, your personal data probably flow behind the scenes through a series of separate, freestanding packages of software known as containers.
Although invisible to the user, this method has become the dominant way to code apps today. Programmers like it because it allows them to change one feature without breaking their colleagues’ work, and it helps software run more efficiently, saving companies money.
But the process is also giving hackers lots of new ways to steal people’s information. Instead of a user’s data going directly to one place, they can jump between dozens of containers for a single action. Hackers only need to gain access to one. Because of the way most containers are designed, they are black boxes on a network. Administrators may have no idea what is happening inside them.
This threat went largely unnoticed for a while as containers proliferated throughout the software industry. In 2014, it caught the attention of Sameer Bhalotra, the former senior cybersecurity director for the US president Barack Obama and an ex-Google employee. Mr Bhalotra created StackRox to address new techniques that exploit container technology.
“Enterprises are flying blind,” said Mr Bhalotra, speaking publicly about his start-up for the first time. “They often have no idea if a container went down by a design – it was no longer needed as user activity decreased – or due to an IT configuration error or a human error or an attacker.”
“[We] obsessed for nearly three years on building adaptive threat protection for containers. Instead of retrofitting old security approaches, we took the time to build a container-native platform from scratch,” he said.
StackRox is backed by a Silicon Valley A-list of chief security officers, including Uber’s Joe Sullivan, Facebook’s Alex Stamos and SAP’s Justin Somaini. StackRox is in the process of completing a new funding round, according to reports.
A quarter of all large companies now use containers, and corporate spending on the technology is projected to double over the next two years to US$2 billion, according to 451 Research. Many companies rely on software from Docker, a start-up valued by investors at $1bn. Jay Lyman, an analyst at the research firm, said there is a “gold-rush mentality” to adopt the tool without a full appreciation of the risks. “Security is the number one challenge,” he said.
Docker and StackRox have become close partners, but Mr Bhalotra was not the only one to notice an opportunity. Aqua Security Software, an Israeli firm that secures containers, has attracted funding from the local cybersecurity billionaire Shlomo Kramer and Microsoft Ventures. The San Francisco-based Twistlock has raised some $30 million from Dell and other investors.
Uber is a devotee of the container, as is Alphabet’s Google, which has said every service it offers today runs on the technology. Google uses more than 2 billion containers a week. But these tech juggernauts have highly sophisticated security operations to deal with potential threats. Mr Sullivan said the company created its own software to detect container attacks. “Our security engineering team must be able to blend off-the-shelf security products with a great deal of custom work,” he said.
City National Bank first considered adopting containers last year, but none of its existing security systems could track them. “It’s hard to know if a new container that shows up is really supposed to be there,” said Gene Yoo, the head of information security at City National. Then the Los Angeles bank found StackRox and Docker. It is now moving “aggressively” to containers for its website and payment systems, which is reducing costs. Docker said its technology addresses key security threats that faced apps using earlier approaches without containers.
One feature of containers that hackers are actively exploiting is that they are ephemeral, Mr Bhalotra said. In attacks his company has studied, containers use a kind of suicide switch that controls when they are shut down and hackers who get inside often install malicious software to flip those switches. The code allows them to erase all evidence showing they were there. “Enterprises with advanced IT infrastructures are moving to containers, but they aren’t sure how to address security,” said Mr Stamos, who is also a StackRox backer.
Hackers are eager to take advantage, as StackRox found this spring when it began monitoring a major financial services firm. (Mr Bhalotra asked not to identify certain details about the project to protect the company’s work.) StackRox said it detected more than 500 threats aimed at the finance firm’s container software during a single month.
For Mr Bhalotra, thwarting malicious hackers is more than just business, it is a calling. “I’ve spent my entire career in security, from Washington DC to Silicon Valley, striving to find better ways to stop the bad guys and drive the security field forward,” he says. “At StackRox, I have a simple mantra: build team, build product, serve customers. Our business is about earning trust.”