Docker container images contain the code, runtime, system tools, system libraries and settings needed to run an application. According to the developer delivery platform, Section.io, Docker’s microservices architecture, its compatibility and cost effectiveness are among the reasons why Docker has become “the most wanted technology,” and has become “massively popular.”
Ensuring the integrity of Docker images is therefore essential to the overall security of the cloud environment.
The fact that image vulnerabilities exist is well known. But is image security being compromised to the extent that hardened images are becoming a need rather than simply a recommended practice?
The need for bolstering cloud security in general is quite critical. According to Cybertalk.org, a whopping 98% of enterprises dealt with breaches in cloud security in general in 2021.
When it comes to image security specifically, the container security firm, Prevasio, conducted an analysis of 4 million public Docker images in 2020. They found that just over half of them had critical vulnerabilities, and 68% of them had vulnerabilities of varying degrees.
A smaller, but still significant, percentage were classified as malicious. They contained malware, hacking tools, flatmap-stream malware, trojanized applications and even cryptocurrency miners. Coin miners target and exploit the Docker images both openly and hiddenly. The open, public nature of Docker Hub means weaker surveillance, and malicious images and metadata are more easily hidden amongst benign ones. The software security organization, Kromtech, found in 2018 that 17 malicious Docker images on Docker Hub earned crypto-mining criminals $90,000 in 30 days.
The trojanized applications we mentioned include the plugins of the world’s most popular open source content management system, WordPress. Considering that WordPress currently has over 50,000 plugins, and that 64 million websites are currently powered by WordPress, this is a significant security issue.
Hossted zeroed in on the security risks to all our offerings, including WordPress. We use Traefik to secure the access layer, and provide documentation and recommendations on scanning images against vulnerabilities.
Attackers are not the only problem. The 2020 Verizon Data Breach Investigation Report (DBIR) tells of the rise of misconfiguration of the security settings. These errors are increasingly leading to breaches of confidential records, and are now more common than malware.
The challenges of addressing the vulnerabilities
A joint study of Docker Hub security risks by researchers of several universities emphasized that Docker images differ from traditional applications in how they are structured. They are often a complex blend of numerous programs, configuration files and environment variables. This complexity presents a challenge in being able to use a uniform approach to scanning the images.
The study adds that risks are not limited to the container itself, but extend to the host, as container technology allows for the kernel to be shared. And patching the vulnerabilities is made more difficult because the programs are decoupled from the mainstream ones.
The very same reasons that make multi-tenancy attractive, as a way to serve multiple tenants with a single software deployment, are the reasons it makes it difficult to protect. Mixed-mode deployment means that data leakage can occur. VMs with varying levels of importance share the same physical server, and the lesser-critical VMs typically have less security controls than the more critical ones, now exposing the latter to security vulnerabilities.
Regarding human error – the misconfiguration of security settings – the challenge is to be able to sustain a system of procedures that ensure permission control reviews and frequent configuration audits. This can be costly and time-consuming.
With all this in mind, the mission of overcoming these obstacles is a tough one, and Hardening is the process that aims to do the job. How?
In Part 2, we will explore the Hardening process: what exactly is it, and how does it work?