Docker Security Scanning Protects Container Software Stack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
News
5/11/2016
08:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Docker Security Scanning Protects Container Software Stack

Docker addresses vulnerabilities that can creep into the container's software stack with its just released Security Scanning offering.

7 Ways Cloud Computing Propels IT Security
7 Ways Cloud Computing Propels IT Security
(Click image for larger view and slideshow.)

Docker is implementing security scanning on the software supply chain that produces the components going into a Docker container, the company announced May 10.

In effect, Docker Security Scanning is the other shoe to drop after Docker made a set of security announcements last February concerning the 1.10 release of the Docker Engine. The Feb. 8 announcements secured the Docker Engine, which formats the software being loaded into a container.

Among other things, the 1.10 changes took the giant step of separating a user's container from possessing root privilege on the container host, a previous vulnerability.

Tuesday's announcements address the other sector. They secure the contents going into the container, which are frequently drawn from different sources, especially open source downloads, around the Web, said Nathan McCauley, Docker's director of security.

Docker Security Scanning "enables us to solve the problem of vulnerabilities in the software stack," McCauley said in an interview with InformationWeek.

(Image: Leif Norman/iStockphoto)

(Image: Leif Norman/iStockphoto)

Docker Security Scanning was formerly known as Nautilus in the Docker open source project. It's been renamed now that it's generally available to Docker users.

Nautilus detects and builds a profile of the contents going into a container. It compares the contents to various vulnerability databases to see if any components have exposures. If they do, it alerts the container owner and operations managers that a potentially unsafe container is about to go into production, along with a recommendation for how the issue can be rectified.

McCauley noted that the Docker Scanning Service is available on a free trial basis to not only open source users but also to for-pay, Docker Private Cloud, users as well.

Docker announced it was acquiring Tutum last October to give it a set of tools for moving an application out of the build process and into a container, ready for production. The Docker Private Cloud is the use of a private repository on the Docker hub in combination with Tutum's workflow tools, McCauley explained. In effect, the Private Cloud customers are first in line for trying out the scanning service with their private repositories. Docker will probably price it as part of a package later. The service will be added to the public hub users' operations at a later date.

[Want to learn of a predecessor service? Read about CoreOS' move last November. CoreOS Service Scans Containers For Vulnerabilities.]

Along with implementation of the scanning service, Docker has upgraded Docker Bench for Security -- a container deployment tool that checks containers for best practices before they're released into production. Bench uses scripts to check dozens of common practices in assembling and handling a container. It ensures that a container is aligned with the recommendations of the Center for Internet Security's Benchmark for Docker Engine 1.11, the latest standard for Docker from the center. Docker Bench also checks host configurations for best practices as well.

McCauley said the moves fill out what he dubbed the three pillars of Docker's approach to security, an area that has aroused concerns among container users in the past. As a somewhat new and untested approach to application isolation, containers have lacked the same assurances that virtual machines carry into production settings.

Docker has secured the platform that builds containers, McCauley said. It's provided the authentication and access controls to give access to containers, making use of Microsoft Active Directory or LDAP directories. And it has now secured the contents of containers.

The Docker scanner builds a bill of materials, cross references the bill of materials against vulnerability databases, and notifies the developer or operations manager if a problem exists. It doesn't initiate the correction. That would be too intrusive without the author's or operations manager's consent.

But once the developer or operations manager has taken the corrective action, "it's easy to update all containers that rely on that same base image," McCauley said. For scaling purposes, one application might be distributed in 12 containers on a cluster. If there's a problem in one, it will get corrected, and the correction will be quickly replicated to the other 11.

If effect, Docker is attempting to consolidate more container tools and more container security into the operation of the Docker Platform. In the future, what it calls Docker Data Center will also make use of the scanning service. Docker didn't start out showing as much concern for security as it does today, but then containers didn't start out working in production either.

Times have changed, and Docker is adjusting its platform.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
5/11/2016 | 2:38:46 PM
Has Docker done it all?
Is this sufficient to make containers safe to use in production? Any areas that still need improvement in container operations?
Commentary
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
Slideshows
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
News
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll