Video: https://youtu.be/pCznn0KP8iM
In 1990, pro tennis legend, Andre Agassi, unintentionally predicted the importance of container images in the application container movement 20+ years later when he told viewers of the famous Canon commercial, "image is everything".
However, even the tennis Hall of Famer couldn't have predicted the security issues that would surface from this new technology. While the Docker container engine and Kubernetes orchestrator make it easy to distribute, orchestrate, and run containers, we also need to ensure our images are safe to use.
Malware often masquerades as legitimate images, and vulnerabilities found in official images are frequently exploited by nefarious actors. Both concerns are security threats to the stability and security of your application environment.
This is where container image scanning and signing play a crucial role in your organization. Several products on the market seek to address this need, including Harbor, JFrog X-Ray, Docker Trusted Registry, Quay, and Twistlock. This is an essential element to securing your DevOps pipeline.
Jason Epstein is a Senior Solutions Engineer on the Docker Enterprise team at Mirantis. He will walk us through an image vulnerability scan, what can be discovered, and how it can be used to help secure your DevOps pipeline.
4. 4
○ The importance of securing your container images
○ Introduction to image vulnerability scanning
○ Introduction to image signing
○ Glimpse into common products available in the marketplace
○ Demonstrate image scanning and signing
Goals Today
6. 6
What is a Docker Container Image?
An Image is an ordered collection of root filesystem
changes and the corresponding execution parameters
for use within a container runtime. An image typically
contains a union of layered filesystems stacked on top
of each other. An image does not have state and it
never changes.
TL;DR
Images are the “blueprint” to your applications
● Shareable
● Immutable
7. 7
● Know What’s Inside Your Apps
● Know Where Your App Images
Came From
● Know Who Modified Them
Ensure Your Images Are Safe to Run
A Multi-Layered Defense
"Developer use of older, vulnerable
versions is one of the leading causes of
container vulnerabilities.”
- Gartner, Best Practices for Running
Containers and Kubernetes in Production
8. 8
Running vulnerable images exposes your
organization to threats.
Example:
CVE-2019-5021 (discovered May, 2019)
“Versions of the Official Alpine Linux Docker images
(since v3.3) contain a NULL password for the `root` user.”
(source: https://nvd.nist.gov/vuln/detail/CVE-2019-5021)
Why Is Container Image Security Important?
When the required
conditions are met, a
user (legitimate or not)
on your system can
easily gain root access
inside the impacted
container.
11. 11
●CONTINUOUSLY SCAN FOR VULNERABILITIES IN ALL IMAGES
• Improve application security by
scanning for known vulnerabilities prior
to deployment and continuous checks
thereafter
• Ensure compliance with alerts to new
vulnerabilities
Trusted
Content
Image Scanning:
Know What’s Inside Your Apps
12. 12
Image Content Trust:
Know Where Your Apps Came From and Who Modified Them
• Sign image to “approve” passing of each stage.
• Policy to check for signatures before deployment
CI Security Scanning Staging Production
16. 16
Ensure Only Images Signed by Each Team Can be Run
Enforcing Docker Content Trust in Universal Control Plane (UCP)
17. 17
● Scan your images for vulnerabilities
○ Scan every image and assess any vulnerabilities for risk and relevance in
your environment
○ Automate image filtering so that only those that meet your security
criteria make it to the next stage (including production)
● Sign your images to ensure image authenticity
○ Require CI tools, repositories, test tools, security tools, and all other
steps in your pipeline to cryptographically sign every image they process
○ Ensure every environment (including production!) that will run your
images checks for a valid signature from the required sources.
Container Image Security Takeaways