Application Container Security Guide

Souppaya, Murugiah; Morello, John; Scarfone, Karen

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov. [12:20 pm ET - If you received "Page Not Found" errors recently, please retry accessing those files. File synchronization should now be complete.]

NIST SP 800-190 (2nd Public Draft)

Obsoleted on September 25, 2017 by SP 800-190

Application Container Security Guide

Documentation Topics

Date Published: July 2017
Comments Due: August 11, 2017 (public comment period is CLOSED)
Email Questions to: 800-190comments@nist.gov

Author(s)

Murugiah Souppaya (NIST), John Morello (Twistlock), Karen Scarfone (Scarfone Cybersecurity)

Announcement

NIST announces the second public comment release of Draft Special Publication 800-190, Application Container Security Guide. Application container technologies, better known as containers, are a form of operating system virtualization combined with application software packaging. Draft (2nd) SP 800-190 explains the security benefits and concerns associated with container technologies and makes practical recommendations for addressing the concerns when planning for, implementing, and maintaining containers.

Abstract

Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This publication explains the potential security concerns associated with the use of containers and provides recommendations for addressing these concerns.

Keywords

application; application container; application software packaging; container; container security; isolation; operating system virtualization; virtualization

Control Families

Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Risk Assessment; System and Communications Protection; System and Information Integrity

Documentation

Publication:
Draft (2nd) SP 800-190 (pdf)

Supplemental Material:
Comment Template (xlsx)

Related NIST Publications:
IR 8176 (Draft)

Document History:
04/10/17: SP 800-190 (Draft)
07/13/17: SP 800-190 (Draft)
09/25/17: SP 800-190 (Final)

Topics

Security and Privacy

threats, vulnerability management

Technologies

cloud & virtualization, operating systems

Laws and Regulations

OMB Circular A-130