Docker this week announced the rollout of security scanning technology to safeguard container content across the entire software supply chain.
Docker Security Scanning is an opt-in service for Docker Cloud private repository plans. It provides a security assessment of the software included in container images.
It enables detailed image security profiles, continuous vulnerability monitoring, and notifications for integrated content security across the entire software supply chain, Docker said. It also provides binary-level scanning that generates a detailed security profile for each Docker image.
The service provides details that allow IT operations to assess whether the software meets security compliance standards. It works seamlessly with existing development and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment, the company said.
“The scanning process creates an image signature much like a contents label on a can of soup,” said Nathan McCauley, director of security at Docker.
What It Does
Docker Security Scanning works across any application and all major Linux distributions. It provides integration into a Containers as a Service workflow that improves an organization’s security posture through central IT managed secure content, the company said.
As part of the security enhancement, the company also released an update to Docker Bench. The release automates validating a host’s configuration against CIS Benchmark recommendations. With the update, Docker users can implement recommendations from the latest CIS Docker Benchmark to ensure that their platform is configured to be in line with the best practices outlined for Docker Engine 1.11, McCauley told LinuxInsider.
This security process helps answer several critical questions on computer security. It tells users the contents of a Docker container. It lets users know where code originated, how to avoid bad components, and how to keep patches current for compliance and governance.
“With this process, the developer becomes part of the security process. Devs are able to see the results of the scanning process before they deploy the software,” said McCauley. “We’ve made it our goal to secure the global software supply chain from development, test to production.”
How It Works
Docker image scanning and vulnerability detection provides a container-optimized capability for granular auditing of images. The results are presented in a bill of materials containing the details of the image layers and components, along with the security profile of each component, according to Docker.
That allows independent software vendors, publishers and app teams to make informed decisions regarding content based on their security policies. ISVs can use the information to actively fix vulnerabilities to maintain high-quality security profiles of their content and transparently deploy them to their end users. App teams can decide if they want to use an ISV image based on the displayed profile and flexibly use Security Scanning to check the additional code before deciding to deploy.
Without that optional security enhancement, IT operations rely on the information published by each ISV on the state of their content to the Common Vulnerabilities and Exposures databases and manually monitor them for any issues. Docker Security Scanning automates the process and notifies an organization when a vulnerability is reported for any component within the images.
The upcoming version of Docker Engine will use a multidaemon approach to separate privileges, making it more secure than the single-daemon design used by previous versions. It’s one example of how Docker has continued to improve its security posture over time, according to Adrian Otto, distinguished architect atRackspace.
“We believe enhancements like this will continue, as development is driven by the interests of a community of users and developers who are becoming more and more concerned with application security as threats and sophisticated adversaries become more prevalent,” he told LinuxInsider.
Security is a legitimate concern for all cloud-enabled applications, whether they use container technology or not. Continually scanning your deployment system for vulnerabilities is definitely a security best practice. Ideally, security scanning should be built in to container hosting systems to keep applications more secure, Otto said.
Security in Stride
As a security issue, Docker technology has a lot of room to grow, but it is making great strides, according to Scott Moore, CTO Architect of Security atSungard Availability Services.
The release of Docker engine 1.10 was almost entirely security-focused. Version 1.11 was the first release built withrunC as well asContainerd and conformed to the Open Catalog Interface standard.
Docker Cloud is a Container as a Service solution allowing customers to bring their own nodes from any cloud provider. Customers create and run nodes, so Docker doesn’t control the host’s security. Docker Cloud will pull information from nodes and store it within Docker Cloud itself, and it may not have certifications around securing the metadata from the nodes it collects.
“If the Docker ID used to authenticate to Docker Cloud is leaked, someone may be able to gain access to containers on any node managed by Docker Cloud. At this time, Docker Cloud does not have fine-grained, permission-based access or even API key management,” Moore told LinuxInsider.
How Much Is Enough?
There is a need for additional measures to ensure the integrity of the host systems as well as content inside the containers themselves, according to Randy Kilmon, vice president of engineering atBlack Duck Software. Most of his company’s customers make their own solution using various deployment mechanisms.
“So far, Docker has not spent time making containers secure, meaning if a running container has a vulnerability, it can still be exploited on the container level,” he told LinuxInsider.
Security is a hard thing to get right. Organizations often design custom use cases that do not fit a standard mold, according to Chenxi Wang, chief strategy officer forTwistlock.
“Hence, there is always room for add-on security modules outside the platform,” she told LinuxInsider.
Containing the Container
Docker Cloud is a solution for running containers in the cloud. If Docker Cloud is secure, it does not mean the containers you run in it for your cloud solution are secure, according to Kilmon.
“These are two different things. If you don’t scan your own containers, you could potentially be exploited on the container level,” he added.
Docker Cloud is only as secure as its constitute parts. Cloud security largely depends on how it is used, Kilmon said.
For example, if you provide an Amazon Web Services instance or a node to run your containers on, and that becomes compromised, it would represent a weak link in the chain.
“Docker Cloud is nothing more than hosted Docker infrastructure — Docker registry, Docker engine, etc. This hosted infrastructure is secure, but the Docker containers you run in that infrastructure can still be insecure,” Kilmon said.
Containers or Servers?
A huge need exists for an enhanced security add-on toolset. Most enterprises are managing complex environments with traditional bare-metal servers, virtualization, cloud workloads running in private and public clouds, as well as containers potentially deployed across all of them, noted Sami Laine, Principal Technologist atCloudPassage.
“Having comprehensive tools that provide visibility and compliance controls across all of this IT delivery landscape — including ability to inspect container engines and images as they’re deployed — is going become more important, not less,” he told LinuxInsider.
An evil docker container could attack its host or another container. The isolation between containers is good, but it’s not as good as between virtual machines, enforced by the CPU, according to Simon Crosby, CTO ofBromium.
“Ultimately, Docker is already vastly better off than traditional leaky enterprise server apps and infrastructure,” he told LinuxInsider.
Docker Security Scanning is available to Docker Cloud users with a private repository plan. It will extend to all Docker Cloud repo users by the end of Q3.
After an initial free trial period, pricing begins at US$2 per repository as an add-on service for private repo plans. Docker Security Scanning also will be available as an integrated feature in Docker Datacenter during the second half of 2016.