BT

InfoQ Homepage News Security Landscape of the Docker Ecosystem and Best Practices

Security Landscape of the Docker Ecosystem and Best Practices

Bookmarks

As part of its annual State of Open Source Security Report, security firm Snyk issued a specific report focusing on Docker security that shows vulnerabilities in container images are widespread. According to Snyk's report, the top ten official Docker images in DockerHub, including node, httpd, postgres, nginx, and others, have at least 30 vulnerabilities each, with the node image being the top offender with more than 500 vulnerabilities. The problem concerns even Docker certified images, which must conform to best practices and pass certain baseline tests, according to Docker.

The sheer numbers provided by Snyk are surely worrying, but they might not represent the hardest part of the problem. In many cases, fixing vulnerabilities in a Docker image is as easy as rebuilding the image using non-vulnerable versions of its dependencies. According to Snyk, as many as 44% of Docker images contained vulnerabilities that had been already removed in newer versions of their base image. More worrisome seems to be a general lack of security ownership among developers, who do not always seem to be aware of the criticality of their role. According to Snyk's survey, 80% of developers say they do not test their images during development, while 50% of them do not scan their images for vulnerabilities at all.

The best approach to deal with Docker image vulnerabilities rests on three key practices, Snyk says. First, as a hygiene rule, it is convenient starting with the smallest Docker image that is available for a given purpose and do not add any unnecessary package. Second, images should be scanned frequently both during development and in production. Finally, images should be rebuilt as part of a CI/CD pipeline and multi-stage builds should be preferred, since they help optimize your images.

Snyk State of Open Source Security Report has a broader scope that just the Docker ecosystem and is based on a survey among more than 500 open source developers and maintainers, data from public application registries, library datasets, GitHub repositories.

InfoQ has spoken with Snyk developer advocate Liran Tal to learn more.

InfoQ: Snyk report shows a steep increase in the number of vulnerabilities found in open source libraries in the last few years. Can you tell us how you found that results?

Liran Tal: Snyk tracked information about the state of security disclosures that were made public on some of the most popular Linux distributions, based on data Snyk gathered from cvedetails. Snyk found that security vulnerabilities in RedHat Enterprise Linux, Ubuntu and Debian grew four fold in 2018. That’s right, there’s no decimal place missing, it grew by almost three and a half times.

As Snyk take a look at a breakdown of vulnerabilities by their severity, we found out that 2017 and 2018 continue the trend in an increase of the number of high and critical vulnerabilities being disclosed.

InfoQ: When it comes to Docker, the security of the underlying OS and system libraries is critical. Can you comment on what your report brings to the fore?

Tal: Docker images almost always bring known vulnerabilities alongside their great value. System libraries are of course common artifacts in operating systems, which docker images are built upon. With more system libraries and tools bundled in a Docker image, the risk of finding a security vulnerability in the image increases.

Most vulnerabilities come from libraries you don’t explicitly use. In most ecosystems, 75% or more of your dependencies are indirect, implicitly pulled in by the libraries you use and Snyk found that 78% of overall vulnerabilities tracked are from indirect dependencies.

As containers continue to explode onto the IT landscape in 2019, container security threats continue to rise, and organizations are now more than ever placing a higher level of importance on ensuring image security is a top priority.

At 50 pages in length, the Snyk report on open source security contains much more detail than can be covered here. Make sure you read it if you are interested in software security and how to improve it.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.