CoreOS Service Scans Containers For Vulnerabilities

Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private

Containers may become a more secure way to deploy application software into the data center than their "uncontained" counterparts, if Docker and CoreOS have their way.

Docker has a major security announcement under wraps that it plans to reveal with the opening of DockerCon Europe in Barcelona on Monday, Nov. 16, a spokesman confirmed this week.

Perhaps in anticipation of the Docker announcement, CoreOS made its own security news at 10 a.m. PST today, Friday, November 13. (Hopefully the choice of dates won't prove to be bad luck.)

Quay, the CoreOS registry of container images -- container-formatted software able to be sent to a host -- now has a service that will scan images for vulnerabilities.

CoreOS CEO Alex Polvi said that there are millions of container images on the Quay hosting site put there by CoreOS customers. At least 80% contained some vulnerability that showed up in a layer-by-layer scan. "The number is pretty staggering," Polvi said in an interview.

Heartbleed appeared 18 months ago. "We discovered it is still a threat to 80% of the Docker images stored on Quay," wrote Quentin Machu, a CoreOS security specialist in a Nov. 13 blog post.

Quay Security Scanning is being launched today as a free beta service for users of Quay on the CoreOS site.

In effect, the service examines the software layers in a container and goes out to reference sites provided by Red Hat, Ubuntu, and Debian to check what it's just scanned against a listing of known vulnerabilities for certain software modules. If the module or layer scanned is considered secure, the scan discovers that and moves on to the next layer. If a layer possesses a known vulnerability, the reference sites note that as well and Quay Security Scanning reports the vulnerability to the software owner.

Quay Security Scanning isn't doing a static analysis of the code, that is, inspecting code on its own for vulnerabilities. It's simply identifying code modules in a container against what's known about that release on the reference sites, Polvi explained.

At the same time, CoreOS is launching an open source project, Clair, under an Apache 2 license. That will make the scanning engine available to anyone. "We are giving away the critical pieces of the scanning engine so other tools and other vendors can use it," Polvi said.

Machu also added additional explanation on the Heartbleed detection: "Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn't suited for that level of analysis and teams should still undergo deeper analysis as required," to determine the proper response.

[Want to learn more about what else CoreOS has done in security? See CoreOS Adds Intel Security to Rocket.]

Doing so will make use of containers a more secure method of operation. Clair is not based on other open source tools. It's code that was constructed internally, he added. Outside developers may access the code through GitHub, contribute to the project, and suggest areas where it can be improved or expanded upon, Polvi said.

In the long run, containers have a shot at becoming a way of packaging code and moving it around that is more secure than predecessor methods. Because so much is already known about the code from its security scan and container formatting, it can be run with greater assurance in the data center than code that's been recently downloaded or otherwise brought in from the outside.

"You have an artifact that you can handle out of band [outside of production operations]. Security is not just the isolation of a running system. It's about moving and managing the code -- all big security aspects -- which containers greatly improve," Polvi said.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.