Container Security – Securing Docker Images
Digital transformation of enterprises has got a huge fillip with increasing adoption of containers. In fact containers are being used in mission-critical applications which indicate the maturity of its adoption. According to IDC survey conducted in January 2018, 85% of container adopters are using it for production apps, with 76% using containers for mission-critical applications.
Container technology is not new but its popularity received a huge boost with the introduction of Dockers, an open-source based container platform that made container deployment immensely easy by enabling to assemble and manage an application and all its dependencies into a single package.
Dockers-based containers helped build applications at a fast pace using microservices architecture—making these applications portable across environment. Also being lightweight, efficient and highly scalable, Docker-based container applications are fast becoming the underlying technologies in developing Cloud-native applications.
Managing container security is a challenge because static security policies and checklists do not scale for containers in enterprises. Therefore, container security must be integrated and continuous and must balance networking and governance requirements while decoupling build and runtime tools and services. To achieve comprehensive security it must comprise measures that :
- Secure the container pipeline and application
- Monitor & secure deployment environment and infrastructure
- Integrate with enterprise security tools
In this write-up we will focus on securing the container pipeline by discussing how to manage vulnerabilities in container images, namely Docker images within the AWS environment.
Securing Docker Images
Docker container is launched from an image which comprise everything required to run the application—code, files, runtime libraries and environment variables. Docker have more moving parts including container images of individual microservices, wherein sometimes multiple instances of each image are running simultaneously. Docker image is built in layers with each layer representing an instruction—such as from, copy, run and make. Most Docker images are downloaded from a parent image which is from a public registry and this is fraught with danger as it is often full of vulnerabilities.
According to Snyk State of Open Source Security report 2019, the top 10 most popular Docker images each contains more than 30 vulnerabilities. Tracking libraries, files, packages across containers is challenging but we can use a tool to scan these and compare with a list of Common Vulnerabilities and Exposure. Once the vulnerability is detected it can be fixed.
Image Scanning on Amazon ECR
AWS recently launched the capability to scan images for Amazon Elastic Container Registry which automates vulnerability assessment for a broad range of operating system vulnerabilities and enables to improve security of the application’s container images. Best practise is to scan container images in AWS ECR before deploying in UAT and production environment, so configure repositories on ECR to scan images automatically when pushing images to repository. Sometimes a vulnerability may be discovered after deployment in which case the next steps must be based on following considerations:If there is a security flaw, resolve it no matter the category of severity.f there is a vulnerability in the image or the application, then following scenarios are possible:
- If vulnerabilities are in the base image then best practice is to use another base image for OS and scan it before using.
- If vulnerabilities are in custom installed software and at the application code level then use updated versions of software on the base image and resolve vulnerabilities in the application code.
- Once all vulnerabilities are resolved, build a fresh docker image and scan it again for vulnerabilities before using the image in production environment.
Going forward, no doubt security continues to be a top concern amongst enterprises but container platforms are becoming popular as it is enabling a coordinated approach to tackle security. IDC’s Container Infrastructure Software Survey shows that security is a top benefit and driver for adopting containers as it allows customers to patch faster and improve response time to new threats.