securing docker - ?· 3 containers docker containers comprise a file system, network stack and...

Download SECURING DOCKER - ?· 3 Containers Docker containers comprise a file system, network stack and process…

Post on 13-Sep-2018




0 download

Embed Size (px)


  • SECURING DOCKER:What You Need to Know

  • 2

    This document provides an overview of the Docker technology and discusses some of the security risks attendant with Docker deployments. It provides steps for securing Docker deployments and looks at how Black Duck Hub can be deployed to help secure Docker applications in production settings.


    INTRODUCTION Industrys embrace of Docker, the virtual application container platform, is nothing short of as-tonishing. As recently as 2014, Docker containers were a novelty and almost unnoticed against mainstays like host and server and desktop virtualization. But, by the middle of 2015, a rapid shift from those legacy virtualization tools to Docker and other virtual containers was under way.

    As evidence: an August 2015 survey by the SaaS monitoring platform Datadog of 7,000 application hosting customers found a five-fold increase in the use of Docker in the preceding 12 months. Just as interesting: larger companies were the most likely to have tried and adopted Docker.

    The Datadog survey found Docker is being used to host a wide range of applications, includ-ing MongoDB, Elasticsearch and open source relational databases like MySQL and Postgres. A 2015 survey of 383 IT professionals by the open source software giant Red Hat found that 67 percent of respondents planned production roll-outs of Docker over the next two years targeted at cloud roles (50 percent) and for web and e-commerce software (56 percent).

    SECURING DOCKER DEPLOYMENTS WITH BLACK DUCK HUB But using Docker and other application containers does come with risks. Chief among those are exploitable software vulnerabilities in applications and application components deployed inside Docker containers. Without new tools to manage the security of Docker application contents and deployments, organizations risk exposing sensitive applications and data to attack.

    Black Duck Hub, Black Duck Software vulnerability scanning and mapping platform, is now capable of tracking and analyzing application source code within Docker containers, simplifying security and risk assessments in dynamic IT environments.

    AN OVERVIEW OF DOCKERWhat is Docker? Simply put: it is an open platform upon which application developers and sys-tem administrators can build, ship, and run distributed applications. Docker enables applica-tions to be quickly assembled and deployed reliably.

  • 3

    ContainersDocker containers comprise a file system, network stack and process space, and anything else needed to run an application, such as system tools and system libraries. Each Docker container includes the designated application and its dependencies, which will vary from application to application, but are identical across different copies of the same container.

    Docker EngineBeneath the application is the Docker Engine, a software layer that runs on top of the host op-erating system within every container. It is the component that ensures that applications will run in a stable operating environment regardless of the environment they are deployed within.

    Operating System Docker containers typically leverage some version of common operating systems including Li-nux distributions like Red Hat Enterprise Linux or Ubuntu, as well as later versions of Micro-softs Windows OS. Containers run as isolated processes in user space on the host operating system, sharing kernel resources with other containers.

    Host EnvironmentBeneath the operating system is the host infrastructure. This may be the local environment of a developer laptop or desktops, virtual machines or bare metal hypervisors running in a produc-tion hosted environments like AWS and OpenStack.

    Docker HubFinally, there is Docker Hub, a cloud-based registry service for sharing applications and au-tomating Docker workflows. Docker Hub hosts public Docker images and provides services to help developers build and manage Docker environments. This software as a service (SaaS) ap-plication provides a range of features needed to find and manage images from both public and private Docker libraries, automate builds of new Docker images via integrations with GitHub or Bitbucket and to manage user access to image repositories.

    WHY DOCKER?Docker and application container technologies like it are the next step on the journey from physical, single-tenanted computing resources to more efficient, virtual, multi-tenanted infra-structure that can run in traditional IT environments and in the cloud. Among its other benefits, Docker is also ideally suited to so-called CI/CD or Continuous Integration/Continuous Deliv-ery environments, which seek to accelerate development practices and streamline the path between development and production environments.

  • 4

    Docker allows software publishers to realize substantial efficiencies over traditional IT and even other virtualization technologies. A typical server can run a thousand or more Docker con-tainers at native speeds. Application processes within Docker environments run directly on the host, but are kept isolated from other processes.

    CPU and memory, network, and disk I/O performance within a Docker container are virtually identical to what a developer would see running the application in a native environment.

    DOCKER DEPLOYMENTS: SOME THINGS TO CONSIDER For all their obvious benefits, containers do add complexity. They represent a new layer in the application stack that can serve as a source of exploitable vulnerabilities and risk for the ap-plication owner and hosting firm alike. The ease and speed with which Docker containers can be configured and launched can amplify mistakes, making it difficult to track and manage de-ployed applications within a dynamic, IT environment.

    To leverage the benefits that Docker and other application container technologies offer your organization must understand the possible risks that come with containers. Specifically: your Docker or application container deployment cannot proceed at the cost of security and visibility.Here are some things to consider:

    Container Certification and Provenance The provenance and integrity of Docker containers is a major concern for organizations that are migrating to the platform. Sixty percent of IT pros surveyed by Red Hat said that a lack of cer-tification of containers was a challenge to adoption of the Docker platform. In essence, Docker relies on a circle of trust between publishers and container hosts, with trust determined at the point where an image is transferred from a registry server, like DockerHub or Red Hats OpenShift, to a container host.

    Without supporting systems in place vetting the contents of container images, compromised or malicious container images that are offered via a repository like Docker Hub might be distrib-uted to unsuspecting organizations. Registry servers like Docker Hub may offer administrators features that help to mitigate the risk of dodgy containers. For example, administrators may be able to leverage features within the registry to limit the types of container images they will allow into their network.In recent months, Docker has taken steps to provide additional layers of accountability. Docker Content Trust uses public key cryptography to allow publishers to sign Docker containers and vouch for the integrity of the code they contain. Aligned projects like Notary and The Update Framework (TUF) promise the same capabilities for non-trusted actors who wish to publish Docker images.

  • 5

    Vulnerabilities within Container Images Vouching for the provenance of containers is necessary but not sufficient to secure Docker de-ployments. Verifying the publisher of a container doesnt guarantee that the software applica-tion or supporting files within the downloaded container doesnt have flaws or exploitable vul-nerabilities. Containers may well bundle outdated and insecure components, especially when the underlying operating system is not the most current version.

    Privately funded research suggests that security flaws in Docker images are not uncommon. A survey of images hosted on Docker Hub, a central repository for Docker developers to pull and push container images, found that more than 30 percent of official repositories contained imag-es that were highly susceptible to attacks targeting known vulnerabilities such as Shellshock, HeartBleed, and Poodle. Forty percent of general images on Docker (images not explicitly verified by any authority) were found to contain known and exploitable security flaws.

    In other words: organizations that wish to leverage Docker must be able to both trust and verify. That is, they need to establish the bona fides of the publisher of the container they wish to use, and verify that the contents of that container wont introduce serious and exploitable security vulnerabilities into their environment that could put the enterprise at risk.

    Container Management Even when adequate precautions are put into verifying the provenance and security of con-tainers at the time they are deployed, organizations must maintain vigilance of their deployed, containerized applications.

    Like any other applications, applications deployed within containers age. In the process, they may become vulnerable to newly discovered security vulnerabilities or other risks.

    Applications deployed within containers may contain data or configuration settings that are insecure or out of sync with your current applications or network environment. In one case, a prominent crowd-funding site pushed a Docker container for its web-based funding platform into production with a development debugger enabled. That gave attackers a ready avenue to run malicious code on the vulnerable system.

    The ease with which Docker application containers can be assembled from differe