SECURING DOCKER:What You Need to Know

2

This document provides an overview of the Docker technology and discusses some of the security risks attendant with Docker deployments. It provides steps for securing Docker deployments and looks at how Black Duck Hub can be deployed to help secure Docker applications in production settings.

EXECUTIVE SUMMARY

INTRODUCTION Industry’s embrace of Docker, the virtual application container platform, is nothing short of as-tonishing. As recently as 2014, Docker containers were a novelty and almost unnoticed against mainstays like host and server and desktop virtualization. But, by the middle of 2015, a rapid shift from those legacy virtualization tools to Docker and other virtual containers was under way.

As evidence: an August 2015 survey by the SaaS monitoring platform Datadog of 7,000 application hosting customers found a five-fold increase in the use of Docker in the preceding 12 months. Just as interesting: larger companies were the most likely to have tried and adopted Docker.

The Datadog survey found Docker is being used to host a wide range of applications, includ-ing MongoDB, Elasticsearch and open source relational databases like MySQL and Postgres. A 2015 survey of 383 IT professionals by the open source software giant Red Hat found that 67 percent of respondents planned production roll-outs of Docker over the next two years targeted at cloud roles (50 percent) and for web and e-commerce software (56 percent).

SECURING DOCKER DEPLOYMENTS WITH BLACK DUCK HUB But using Docker and other application containers does come with risks. Chief among those are exploitable software vulnerabilities in applications and application components deployed inside Docker containers. Without new tools to manage the security of Docker application contents and deployments, organizations risk exposing sensitive applications and data to attack.

Black Duck Hub, Black Duck Software’ vulnerability scanning and mapping platform, is now capable of tracking and analyzing application source code within Docker containers, simplifying security and risk assessments in dynamic IT environments.

AN OVERVIEW OF DOCKERWhat is Docker? Simply put: it is an open platform upon which application developers and sys-tem administrators can build, ship, and run distributed applications. Docker enables applica-tions to be quickly assembled and deployed reliably.

3

ContainersDocker containers comprise a file system, network stack and process space, and anything else needed to run an application, such as system tools and system libraries. Each Docker container includes the designated application and its dependencies, which will vary from application to application, but are identical across different copies of the same container.

Docker EngineBeneath the application is the Docker Engine, a software layer that runs on top of the host op-erating system within every container. It is the component that ensures that applications will run in a stable operating environment regardless of the environment they are deployed within.

Operating System Docker containers typically leverage some version of common operating systems including Li-nux distributions like Red Hat Enterprise Linux or Ubuntu, as well as later versions of Micro-soft’s Windows OS. Containers run as isolated processes in user space on the host operating system, sharing kernel resources with other containers.

Host EnvironmentBeneath the operating system is the host infrastructure. This may be the local environment of a developer laptop or desktops, virtual machines or bare metal hypervisors running in a produc-tion hosted environments like AWS and OpenStack.

Docker HubFinally, there is Docker Hub, a cloud-based registry service for sharing applications and au-tomating Docker workflows. Docker Hub hosts public Docker images and provides services to help developers build and manage Docker environments. This software as a service (SaaS) ap-plication provides a range of features needed to find and manage images from both public and private Docker libraries, automate builds of new Docker images via integrations with GitHub or Bitbucket and to manage user access to image repositories.

WHY DOCKER?Docker and application container technologies like it are the next step on the journey from physical, single-tenanted computing resources to more efficient, virtual, multi-tenanted infra-structure that can run in traditional IT environments and in the cloud. Among its other benefits, Docker is also ideally suited to so-called CI/CD – or Continuous Integration/Continuous Deliv-ery – environments, which seek to accelerate development practices and streamline the path between development and production environments.

4

Docker allows software publishers to realize substantial efficiencies over traditional IT and even other virtualization technologies. A typical server can run a thousand or more Docker con-tainers at native speeds. Application processes within Docker environments run directly on the host, but are kept isolated from other processes.

CPU and memory, network, and disk I/O performance within a Docker container are virtually identical to what a developer would see running the application in a native environment.

DOCKER DEPLOYMENTS: SOME THINGS TO CONSIDER For all their obvious benefits, containers do add complexity. They represent a new layer in the application stack that can serve as a source of exploitable vulnerabilities and risk for the ap-plication owner and hosting firm alike. The ease and speed with which Docker containers can be configured and launched can amplify mistakes, making it difficult to track and manage de-ployed applications within a dynamic, IT environment.

To leverage the benefits that Docker and other application container technologies offer your organization must understand the possible risks that come with containers. Specifically: your Docker or application container deployment cannot proceed at the cost of security and visibility.Here are some things to consider:

Container Certification and Provenance The provenance and integrity of Docker containers is a major concern for organizations that are migrating to the platform. Sixty percent of IT pros surveyed by Red Hat said that a lack of cer-tification of containers was a challenge to adoption of the Docker platform. In essence, Docker relies on a “circle of trust” between publishers and container hosts, with trust determined at the point where an image is transferred from a registry server, like DockerHub or Red Hat’s OpenShift, to a container host.

Without supporting systems in place vetting the contents of container images, compromised or malicious container images that are offered via a repository like Docker Hub might be distrib-uted to unsuspecting organizations. Registry servers like Docker Hub may offer administrators features that help to mitigate the risk of dodgy containers. For example, administrators may be able to leverage features within the registry to limit the types of container images they will allow into their network.In recent months, Docker has taken steps to provide additional layers of accountability. Docker Content Trust uses public key cryptography to allow publishers to “sign” Docker containers and vouch for the integrity of the code they contain. Aligned projects like Notary and The Update Framework (TUF) promise the same capabilities for non-trusted actors who wish to publish Docker images.

5

Vulnerabilities within Container Images Vouching for the provenance of containers is necessary but not sufficient to secure Docker de-ployments. Verifying the publisher of a container doesn’t guarantee that the software applica-tion or supporting files within the downloaded container doesn’t have flaws or exploitable vul-nerabilities. Containers may well bundle outdated and insecure components, especially when the underlying operating system is not the most current version.

Privately funded research suggests that security flaws in Docker images are not uncommon. A survey of images hosted on Docker Hub, a central repository for Docker developers to pull and push container images, found that more than 30 percent of official repositories contained imag-es that were “highly susceptible” to attacks targeting known vulnerabilities such as Shellshock, HeartBleed, and Poodle. Forty percent of “general” images on Docker (images not explicitly verified by any authority) were found to contain known and exploitable security flaws.

In other words: organizations that wish to leverage Docker must be able to both “trust” and “verify”. That is, they need to establish the bona fides of the publisher of the container they wish to use, and verify that the contents of that container won’t introduce serious and exploitable security vulnerabilities into their environment that could put the enterprise at risk.

Container Management Even when adequate precautions are put into verifying the provenance and security of con-tainers at the time they are deployed, organizations must maintain vigilance of their deployed, containerized applications.

Like any other applications, applications deployed within containers age. In the process, they may become vulnerable to newly discovered security vulnerabilities or other risks.

Applications deployed within containers may contain data or configuration settings that are insecure or out of sync with your current applications or network environment. In one case, a prominent crowd-funding site pushed a Docker container for its web-based funding platform into production with a development debugger enabled. That gave attackers a ready avenue to run malicious code on the vulnerable system.

The ease with which Docker application containers can be assembled from different technology layers and deployed means that vulnerabilities, misconfigurations or flaws in any one layer can easily be reproduced across multiple applications.

USING CONTAINER SCANNING TO SECURE DOCKER DEPOLYMENTSWith Docker being adopted by more organizations and reliance on the platform growing, more and better tools for securing container deployments have begun to emerge.

6

At one end of the chain of trust, initiatives like Docker Content Trust give publishers an easy way to vouch for the authenticity of containers they publish to web-based repositories like Docker-Hub. But organizations need to be able to assess the security of their containerized applications throughout their full lifecycle. Managing container security with Black Duck Hub. Black Duck Hub is a vital tool for managing the security of application containers throughout the full appli-cation lifecycle.

Black Duck Hub allows organizations to identify and track vulnerable open source applications and components within their environment. Assessments draw on Black Duck’s Knowledge-Base, which contains information on 1.1 million open source projects and detailed data on more than 100,000 known open source vulnerabilities across more than 350 billion lines of code.

Through a partnership with Red Hat, Black Duck’s ability to identify and inventory open source and proprietary code production environments is now being applied to containerized environ-ments.

Red Hat has launched Deep Container Inspection (DCI), an enterprise-focused offering that wraps container certification, policy and trust into an overall architecture for deploying and managing application containers. As part of DCI, Red Hat is partnering with Black Duck to give organizations a means of validating the contents of a container before, during, and after deploy-ment.

Integration of Black Duck Hub’s vulnerability scanning and mapping capabilities enables Open-Shift customers to consume, develop, and run containerized applications with increased confi-dence and security, knowing that these applications contain code that has been independently validated and certified.

The integration also provides a means to track the impact of newly disclosed vulnerabilities or changes related to container ageing that may bear on security and risk.

WITH CONTAINERS: TRUST, VERIFY AND EMBRACEContainer technologies like Docker promise to transform the way enterprises develop, deploy, and manage critical applications. But containers are no panacea. The same challenges around deploying and managing applications in native environments and virtual machines also impact container deployments. Yet the ease of use and flexibility of container platforms like Docker make it easier for administrators and IT pros to overlook long-standing practices that ensure the security of deployed applications.

Surveys of information technology professionals suggest that enterprises and organizations of all sizes are embracing container platforms like Docker. But tools to ensure the security and integrity of those deployments are also needed. Applications deployed via container plat-forms like Docker must be certified prior to deployment to ensure that the code they contain originated with a known and trusted publisher.

7

ABOUT BLACK DUCK SOFTWAREOrganizations worldwide use Black Duck Software’s industry-leading products to automate the processes of securing and managing open source software, eliminating the pain related to security vulnerabilities, license compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

CONTACTTo learn more, please contact: sales@blackducksoftware.com or +1 781.891.5100 Additional information is available at: www.blackducksoftware.com

But merely verifying the provenance of containerized application code is not enough. Security issues such as known and exploitable vulnerabilities in proprietary and open source application components pose a serious risk to enterprise data and IT assets. That’s why organizations also need to assess the security of applications deployed in containers on an on-going basis.

Black Duck Hub’s application vulnerability scanning and mapping capability gives Docker cus-tomers the ability to identify vulnerabilities both before and after deployment and spot issues that arise as containerized applications age or become exposed to new security vulnerabilities and attacks.

LEARN MORE: GET A FREE DEMO OF THE BLACK DUCK HUBWith the Black Duck Hub, you can scan your applications and containers to identify the open source projects and versions they are using, even if your team has modified them. Leveraging the Black Duck KnowledgeBaseTM, the industry’s most comprehensive registry of open source projects, the Hub gives you deep insights into open source projects including known vulnera-bilities, license requirements, and project/community activity. Plus, it alerts you when any new vulnerabilities are identified for those projects and gives you tools to track and manage reme-diation activities.

Find out what’s in your code. Contact us for a free demo of the Black Duck Hub today.