Docker Security Scanning: Deep Visibility to Container-Based Vulnerabilities
Just last month we wrote about Docker upping the security ante with a number of new security controls built into Docker 1.10 and here we are yet again. Dockercon 16 is coming up fast – June 19-21, 2016 in Seattle – and we’re looking forward to sharing the Dockercon stage for second time with a customer – Fugro this time – to talk about how enterprises can use Docker and AWS to address common challenges. Check out the speaker list here.
To connect with us at the show, please contact us using this form.
Now, we’re sharing our take on a new Docker security solution: Docker Security Scanning. Specifically, on May 10th, Docker announced the general availability of this new tool that scans Docker containers for vulnerabilities.
As Docker Authorized Consulting Partners with a long history of experience with Docker in the enterprise, we get a number of questions about Docker security. This new solution addresses several of them by providing continuous scanning for vulnerabilities within Docker containers. This is significant because containers promise to enable two important attributes: an immutable substrate and speedy delivery of code. Both of these require that the container images used or built by an organization are secure. Yet, the biggest threat to security inside the container is the use of packages with known vulnerabilities.
Docker Security Scanning scans Docker containers for just such a vulnerability, thereby forwarding the principal of security with agility. Teams can continue to be agile and fast, while having greater assurance of security — secure in the knowledge that Docker’s automated scanning of the images they build is part and parcel of the process.
Why Should You Use Security Scanning?
While every organization running Docker should ideally be using such a tool as Security Scanning, it is most directly beneficial to businesses — from large enterprises down to startups — who are subject to PCI, HIPAA, and SOC2 requirements. Docker Security Scanning continuously monitors for new vulnerabilities, provides a detailed list of all the Docker container layers and components, and provides notifications when new vulnerabilities are found. It joins the secure platform features we discussed last month, features for access control, and Docker’s capabilities to secure content.
Security Scanning in Action
When we introduce an enterprise customer to Docker, a conversation with their InfoSec team about Docker container vulnerability scanning is inevitable. It is something we discuss and historically have offered more traditional solutions that involve integrating a third party component for such analysis. The release of Docker Security Scanning enables us to offer the solution under the Docker umbrella, which is terrific because it is a single solution that provides a detailed security profile of the client’s Docker images for proactive risk management and to streamline compliance efforts.
Let me give you an example: Last quarter when working on Dockerizing SAP Hybris for a customer, the client’s InfoSec and operations teams were forcing a constraint in the delivery process which we at Flux7 opposed. Specifically, the team wanted to add a manual Dockerfile review process in the delivery pipeline because they couldn’t ‘trust’ the development team to use the latest patched packages. Alternatively, they offered to own the Dockerfiles. Both solutions were not acceptable to the development team because they sacrificed agility. Flux7, given our roots and understanding of the business imperatives agility helps drive, sided with the Development team and proposed a solution that embraced the security tenet of ‘trust but verify’.
In the end, the solution to address these competing needs is an automatic scanner that verifies for the information security team that the containers being deployed are safe while maintaining the speed and agility development requires of its continuous delivery process. Docker Security Scanning is just the solution to this problem and is an ideal application for the use case at this Fortune 1000 retailer who is subject to PCI requirements.
A similar conversation occurred with a different Fortune 1000 company we worked with early last year. The information security team at this organization required the addition of multiple layers of security to feel comfortable. IS included biweekly continuous recycling of containers so that no Docker image had a lifespan of over 15 days and containers had to be rebuilt with caching disabled. Furthermore, they added an extra security layer from the edge in the form of AWS Elastic Load Balancer (ELB), simply to monitor and reduce the risk of common attacks exploiting known vulnerabilities in web frameworks. In this case, too, Docker’s Security Scanning solution would have provided a more elegant and safer solution.
As you can see from these two potential use cases alone, we have been anxiously waiting for the release of Docker Security Scanning and hope to start seeing it in action at applicable customers soon.
If you are using Docker or planning a container strategy, Flux7’s Docker consulting experts can help you build a safe, scalable, and innovation-friendly environment for your organization.
Lean on our experience deploying Docker in Enterprises since 2013 by reaching out to us today.
Did you find this useful?
Interested in getting tips, best practices and commentary delivered regularly? Click the button below to sign up for our blog and set your topic and frequency preferences.