Container Security – Securing Docker Images

Kajal Hisaria | 27 Nov 2019 | Newsletter, Security

Digital transformation of enterprises has got a huge fillip with increasing adoption of containers. In fact containers are being used in mission-critical applications which indicate the maturity of its adoption. According to IDC survey conducted in January 2018, 85% of container adopters are using it for production apps, with 76% using containers for mission-critical applications.

Container technology is not new but its popularity received a huge boost with the introduction of Dockers, an open-source based container platform that made container deployment immensely easy by enabling to assemble and manage an application and all its dependencies into a single package.

Dockers-based containers helped build applications at a fast pace using microservices architecture—making these applications portable across environment. Also being lightweight, efficient and highly scalable, Docker-based container applications are fast becoming the underlying technologies in developing Cloud-native applications.

Container Security

Managing container security is a challenge because static security policies and checklists do not scale for containers in enterprises. Therefore, container security must be integrated and continuous and must balance networking and governance requirements while decoupling build and runtime tools and services. To achieve comprehensive security it must comprise measures that :

In this write-up we will focus on securing the container pipeline by discussing how to manage vulnerabilities in container images, namely Docker images within the AWS environment.

Securing Docker Images

Docker container is launched from an image which comprise everything required to run the application—code, files, runtime libraries and environment variables. Docker have more moving parts including container images of individual microservices, wherein sometimes multiple instances of each image are running simultaneously.

Docker image is built in layers with each layer representing an instruction—such as from, copy, run and make. Most Docker images are downloaded from a parent image which is from a public registry and this is fraught with danger as it is often full of vulnerabilities.

According to Snyk State of Open Source Security report 2019, the top 10 most popular Docker images each contains more than 30 vulnerabilities.

Tracking libraries, files, packages across containers is challenging but we can use a tool to scan these and compare with a list of Common Vulnerabilities and Exposure. Once the vulnerability is detected it can be fixed.

Image Scanning on Amazon ECR

AWS recently launched the capability to scan images for Amazon Elastic Container Registry which automates vulnerability assessment for a broad range of operating system vulnerabilities and enables to improve security of the application’s container images.

Best practise is to scan container images in AWS ECR before deploying in UAT and production environment, so configure repositories on ECR to scan images automatically when pushing images to repository. Sometimes a vulnerability may be discovered after deployment in which case the next steps must be based on following considerations:

If there is a security flaw, resolve it no matter the category of severity.

If there is a vulnerability in the image or the application, then following scenarios are possible:

Going forward, no doubt security continues to be a top concern amongst enterprises but container platforms are becoming popular as it is enabling a coordinated approach to tackle security. IDC’s Container Infrastructure Software Survey shows that security is a top benefit and driver for adopting containers as it allows customers to patch faster and improve response time to new threats.

Popular Blogs