Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast.
That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about container security that I would like to share with you.
After introducing the audience to all of the security challenges and attack vectors for containers, she broke down a container security program into three sections:
Today, there’s no security vendor that helps with all three of these areas. Because Veracode focuses on application development security, we focus on securing container images, not the operational parts.
A Docker container image is a lightweight, standalone, executable package of software that includes everything you need to run an application: code, runtime, system tools, system libraries and settings. Docker’s run utility is the command that actually launches a container. Each container is an instance of an image, and multiple container instances of the same image can be run simultaneously. Docker images are ephemeral: Container deployments are in constant flux. The average lifetime of a container is 30 minutes.
The Docker Hub registry is a repository for sharing container images from open source projects and from software vendors. These images are leveraged by developers – often introducing additional risk to the organization.
In her talk, Anna referenced a study of 3,802 official images on the Docker Hub that found a median of 127 vulnerabilities per image. Even more shocking: There were zero images that did not have any vulnerabilities.
The talk closed with three recommendations:
Veracode can help you with the first recommendation: Veracode Software Composition Analysis scans container images for vulnerabilities as part of your CI/CD pipeline to help you find vulnerabilities in the production image. If you’re interested in more information, read our blog post How Veracode Scans Docker Containers for Open Source Vulnerabilities.