securing docker containers
TRANSCRIPT
Securing Docker Containers
Randy KilmonVP Engineering
Black Duck Software
How Pervasive is Open Source?
• > 98% of the applications tested used open source
• On average, open source comprised over 30% of the
code base
Open Source
Custom Code
Composition of software tested across
1400 Black Duck customers
Reference: Black Duck Software audits
Building Trust & Confidence is Critical to Adoption of Docker
Security is ranked as the #1 adoption challenge for containers
• 60% of customers are concerned about container security and lack of
certification/image provenance
• 40% of available container images in contain High Priority Vulnerabilities
• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,
Shellshock, Venom, Ghost
3Black Duck Customer Conference
Areas of Concern
Docker security issues fall into three main categories
• Docker itself and the infrastructure it uses
• The authenticity and provenance of the images themselves
• The security profile of the content within the containers Docker runs
4Black Duck Customer Conference
Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• attacks targeting the host system coming in through Docker would
have root privs
• Many Docker containers run with the –privileged flag set which extends
privileges of the container allowing it to access all devices on the host
system (BAD Idea).
5Black Duck Customer Conference
Responses
Linux adaptations to counter the threat
• Red Hat Atomic Host
• SE linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
• VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for running
containers at scale
• Lightwave used for managing authorization and identity management
6Black Duck Customer Conference
Container Contents
Containers can be vulnerable by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack
vectors in the same way they can in traditional deployment models
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –
privileged flag set
• Different OS flavors and versions, as well as different module versions
• Based on any one of many Linux distributions
• Patches must be managed carefully
• Security, but also compatibility & supportability
7Black Duck Customer Conference
Responses
Manage and monitor container content carefully
• Dockerfile analysis is insufficient
• .tar, .zip files could have anything inside them
• Other layers are just referenced from other registries
• Asking the package manager is insufficient
• Not all modules are under package manager’s purview
• Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
8Black Duck Customer Conference
Microservices
The more containers you spin up, the larger attack surface you expose
• Speed is critical
• Speed to detection of problems
• Speed to remediation
9Black Duck Customer Conference
The Black Duck Solution
Black Duck key differentiators
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting
10Black Duck Customer Conference
Key Integration Points
Many options for workflow
• Scan on any Docker host by accessing images through the Docker
daemon
• Scan on RH Atomic Host with file system level integration
• Scan directly against a Docker registry
• CI tools: Jenkins, Bamboo, etc.
• OpenShift (currently in development)*
11Black Duck Customer Conference
Demo
12Black Duck Customer Conference
Q&A
13Black Duck Customer Conference
Let’s talk about how you are using or plan to use Docker in your
organizations