Study: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

Really interesting post via BanyanOps New tech introduces changes in the way we have to fix and operate:

Docker Hub is a central repository for Docker developers to pull and push container images. We performed a detailed study on Docker Hub images to understand how vulnerable they are to security threats. Surprisingly, we found that more than 30% of official repositories contain images that are highly susceptible to a variety of security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.). For general images – images pushed by docker users, but not explicitly verified by any authority – this number jumps up to ~40% with a sampling error bound of 3%.
...
Conclusion
Our findings advocate a rigorous operations management process where images are analyzed in real-time to provide full visibility into their contents. The images should be scanned for security vulnerabilities, and selectively marked for rebuild depending on the relevance and severity of the vulnerabilities. Any major vulnerability should be identified instantly and there should be an option to trigger an immediate quarantine of susceptible images. The images not only need to be scanned for OS-level package vulnerabilities, but also application-level package vulnerabilities. These processes need to be efficiently integrated into a continuous deployment framework to realize the full benefits of containers while simultaneously maintaining good security practices.

John Scott

John Scott (Code Intel) is the leader in the Defense industry around the commingled issues of cyber, software & technology development and deployment, software, intellectual property and acquisitions. He is focused now on automating and managing the enterprise cyber tools and the software supply chain. John drafted the U.S. Department of Defense policy for the use of open source software and is often called as an expert in this area. He founded Open Source for America, an advocacy group for use of open source software in government and the Military Open Source Software Working Group (http://mil-oss.org/). He holds a BS in Mechanical Engineering from Lehigh University and an MS in Systems Engineering from Virginia Tech and writes about defense software and acquisitions related issues, most recently at the Wall Street Journal “Send in the Tech Reinforcements” - 2/11/13
http://powdermonkey.blogs.com/
http://about.me/jms3
@johnmscott

Leave a Reply