Docker Security Scanning Protects Container Software Stack

7 Ways Cloud Computing Propels IT Security

Docker is implementing security scanning on the software supply chain that produces the components going into a Docker container, the company announced May 10.

In effect, Docker Security Scanning is the other shoe to drop after Docker made a set of security announcements last February concerning the 1.10 release of the Docker Engine. The Feb. 8 announcements secured the Docker Engine, which formats the software being loaded into a container.

Among other things, the 1.10 changes took the giant step of separating a user's container from possessing root privilege on the container host, a previous vulnerability.

Tuesday's announcements address the other sector. They secure the contents going into the container, which are frequently drawn from different sources, especially open source downloads, around the Web, said Nathan McCauley, Docker's director of security.

Docker Security Scanning "enables us to solve the problem of vulnerabilities in the software stack," McCauley said in an interview with InformationWeek.

Docker Security Scanning was formerly known as Nautilus in the Docker open source project. It's been renamed now that it's generally available to Docker users.

Nautilus detects and builds a profile of the contents going into a container. It compares the contents to various vulnerability databases to see if any components have exposures. If they do, it alerts the container owner and operations managers that a potentially unsafe container is about to go into production, along with a recommendation for how the issue can be rectified.

McCauley noted that the Docker Scanning Service is available on a free trial basis to not only open source users but also to for-pay, Docker Private Cloud, users as well.

Docker announced it was acquiring Tutum last October to give it a set of tools for moving an application out of the build process and into a container, ready for production. The Docker Private Cloud is the use of a private repository on the Docker hub in combination with Tutum's workflow tools, McCauley explained. In effect, the Private Cloud customers are first in line for trying out the scanning service with their private repositories. Docker will probably price it as part of a package later. The service will be added to the public hub users' operations at a later date.

[Want to learn of a predecessor service? Read about CoreOS' move last November. CoreOS Service Scans Containers For Vulnerabilities.]

Along with implementation of the scanning service, Docker has upgraded Docker Bench for Security -- a container deployment tool that checks containers for best practices before they're released into production. Bench uses scripts to check dozens of common practices in assembling and handling a container. It ensures that a container is aligned with the recommendations of the Center for Internet Security's Benchmark for Docker Engine 1.11, the latest standard for Docker from the center. Docker Bench also checks host configurations for best practices as well.

McCauley said the moves fill out what he dubbed the three pillars of Docker's approach to security, an area that has aroused concerns among container users in the past. As a somewhat new and untested approach to application isolation, containers have lacked the same assurances that virtual machines carry into production settings.

Docker has secured the platform that builds containers, McCauley said. It's provided the authentication and access controls to give access to containers, making use of Microsoft Active Directory or LDAP directories. And it has now secured the contents of containers.

The Docker scanner builds a bill of materials, cross references the bill of materials against vulnerability databases, and notifies the developer or operations manager if a problem exists. It doesn't initiate the correction. That would be too intrusive without the author's or operations manager's consent.

But once the developer or operations manager has taken the corrective action, "it's easy to update all containers that rely on that same base image," McCauley said. For scaling purposes, one application might be distributed in 12 containers on a cluster. If there's a problem in one, it will get corrected, and the correction will be quickly replicated to the other 11.

If effect, Docker is attempting to consolidate more container tools and more container security into the operation of the Docker Platform. In the future, what it calls Docker Data Center will also make use of the scanning service. Docker didn't start out showing as much concern for security as it does today, but then containers didn't start out working in production either.

Times have changed, and Docker is adjusting its platform.