A DevSecOps approach must be used to implement and manage security policies for container infrastructure. Much like testing, integration, and deployment, security must be built in at the ground level of application development and automated as much as possible.

Security teams, working with development and operations teams, can adapt existing governance and compliance policies to accommodate the new container and application lifecycle and new tools. Development and delivery teams are then responsible for the implementation of those practices, performing the day-to-day decision making around the security of applications and providing evidence demonstrating that they are meeting the organization's policies.

Best practices for container security:

• Use programming frameworks that make adopting recommended security practices and patterns easier, enabling developers to create secure applications by default.

• Standardize the code used in the base OS, and application dependencies for container builds.

• Provide well-documented code provenance (metadata) for containers, which also automates policy enforcement and monitoring.

• Use a private container registry for managing approved, validated container images and base OS images (including third-party containers).

• Rigorously control access and deployment policies for the private registry.

• Automate container builds so that updates to application code, dependencies, or OS libraries trigger rebuilds.

• Implement a zero-trust, role-based access control policy for accessing runtime platforms.