The main challenge organizations will face securing their containers is not the technical part, but the cultural and organizational changes. This is according to a recently released report from Snyk that focused heavily on the current state of Docker security. The report revealed that half of the top 10 free certified Docker images have known vulnerabilities.
“If you want to change certain things in a process, most of the time people do not want to change because they’re doing certain things in a certain way for maybe a decade or maybe a couple years, so doing that will be the most important part,” said Brian Vermeer, developer advocate at Snyk and one of the authors of the report.
While the technical tools are already available, it’s getting those aligned with current processes that is the challenge, Vermeer explained.
The report offered up recommendations on methods and process that organizations should implement in order to improve Docker security.
One of the recommendations Snyk makes is to be more careful about what Docker image gets chosen. Snyk recommends choosing the smallest base image possible and not packaging what isn’t necessary.
According to Snyk a popular approach to the challenge of choosing the right base image is to actually have two base images, one for development and unit testing, and another for later stage testing and production.
Snyk also recommends rebuilding images. According to Snyk’s State of Open Source Security 2019 report, 20 percent of Docker images with vulnerabilities could have been solved if the image had been rebuilt.
Organizations should also scan their Docker images frequently and integrate that scanning process into their development workflow and CI/CD pipelines. Scanning early in the development process allows vulnerabilities to be caught as early as possible, while scanning containers in production ensures that you can act quickly when a new vulnerability is discovered.
In addition, organizations should use multi-stage builds to ensure that they are only copying the artifacts they need, which reduces unnecessary vulnerabilities. “This method of creating a tiny image does not only significantly reduce complexity but also the change of implementing vulnerable artifacts in your image. So instead of images that are built on images that again are built on other images, with multi-stage builds you are able to “cherry-pick” your artifacts without inheriting the vulnerabilities from the base images on which you rely,” Snyk wrote in the report.
Hopefully recent vulnerabilities such as those found in runC or DockerHub will get companies to focus more on securing containers. “And I think these types of vulnerabilities and these types of hacks and types of problems that occur, may help in a certain way to get the awareness of them,” said Vermeer. “I hope so. I mean that same happened for application security two years ago when Equifax got hacked. That came with a major impact that people were now more aware of these things, or were hopefully more aware of those things.”