How to Secure Your Docker Containers: Tips and Challenges

Today, we will talk about one of the most popular technologies, Docker, and Docker security considerations. Creating a secure Docker image could be tricky and complicated in some cases. We aim to provide a security roadmap on Docker technology. This roadmap will include topics such as best security practices, open-source vulnerability scanning tools, and Qualys Docker scanning on AWS ECR.

In the 1st part of our blog series, we will be talking about docker technology in detail.

• What is Docker?
• Why is Docker so popular these days?
• What are the related challenges?

We will also provide some best security practices for how to secure your docker images to use in your development process. We will emphasize the importance of regular vulnerability scanning in the development process. In addition, we will summarize some Docker vulnerability scanning tools for you.

In parts 2 and 3, we will be talking about Docker vulnerability tools in detail where all usage and installation steps will be explained. Let’s start!

Index

Part 2: Docker Vulnerability Scanning

Part 3: QUALYS – Deploying sensor in AWS ECS Cluster

1. Login to the Qualys
2. Download the QualysContainerSensor.tar.xz file
3. Download the container sensor.
4. Sensor package operations
5. Push the Qualys sensor image to an AWS ECR repository.
6. Modify the cssensor AWS ECS JSON file
7. Import the JSON file
8. Task execution IAM role configurations
9. Select the AWS Cluster
10. Select the task definition
11. Create task definition
12. Final Qualys Container Security module

Docker Technology: An Overview

Let’s talk about two different problems that we can all experience during the development process.

• The first case would be when you would have a program that works successfully in a development environment but it would not be working in the production. When you identify the root cause, it will point to the library and dependency differences between the two environments. How can you fix this every time?
• The second case would be when you would have two different programs that work with different versions of libraries. How can you manage applications that could work with different versions? How can you easily solve security issues?

Docker is the answer to all of these questions.

Docker allows programs to run independently from each other. Docker is a tool to make it easy to create, deploy and run applications using container technology. By using Docker, a program is transferred and runs quickly and reliably from one computer to another.

To explain more clearly, we will provide information about some docker terms below:

What is a Docker Image?

A Docker image is a read-only template. An image might include an Ubuntu operating system along with Apache and your web application. Docker containers are made up of images. Docker makes it easier to generate new files or upgrade old ones, and you can even import Docker images made by others.

Docker Registry: Docker images are stored in registries. You can upload or import images from these public or private store registries. It provides access to a large library of pre-existing images for your use. There may be images you make yourself or images that have already been made by others. Docker registries are the platform’s distribution component.

What are Docker Containers?

Docker containers are similar to directories. A Docker container includes all of the components needed to operate an app. A Docker image is used to create each container. Containers in Docker can be started, stopped, transferred, and removed. Each container serves as a separate and stable application platform. Docker containers are Docker’s most important component.

Docker technology has many advantages over traditional methods. These advantages make Docker popular for companies and developers. When you start developing a new application, it is useful to consider the advantages of using Docker:

• Ease of use
• Scalability
• Consistency
• Repeatability
• Modularity
• Fast software delivery
• Cost-effectiveness
• Flexibility

2. Docker Security: A Tricky Way

Despite the popularity of Docker, most software developers avoid using it because they think Docker security is weak. Docker containers include code binaries, configuration files, related dependencies, host environment, and network configurations. Each of these could cause an attack surface. For example, a vulnerability in an old library poses a threat to the entire docker container. Since there are so many different technologies in Docker containers, security management could be complicated.

3. Docker Security Best Practices

At first glance, we have listed some docker security practices for your docker images:

a. Don’t be a root

According to research, 58% of docker images are built and run with root permissions. Root user privileges in systems create an attack surface for attackers. The attacker has access to all data and can directly control the hardware. Therefore, the docker process must be executed by the user that will be created with the least privileges.

As an example, a user definition is created below:

FROM ubuntu:20.04
RUN apt-get update -y && \
apt-get install -y python3-pip python3-dev
USER test
CMD test test.py

b. Use trusted base images

When creating Docker images, you should define your base image with the “FROM” term. You should select and pull your base docker images carefully. Selecting unknown or untrusted docker images for the base causes transferring all security vulnerabilities and problems in the image to the container system. That’s why you should pull your base docker images only from the trusted repositories. You should check checksums and digital signatures to verify the authenticity and integrity of pulled base docker images.

The best solution for trusted base images is building your base images.

c. Sign your docker images

To ensure your docker data integrity and docker content trust, Docker images should be digitally signed and verified on runtime. For this, one of the popular tools, Notary, could be used. With the docker sign mechanism, users can be sure that the docker image data they’re downloading is what we have created.

d. Update your environment

We come across hundreds of CVEs related to both the operating system and libraries every day. It is quite normal for most of these to be found in our docker images related to the operating system, old packages, etc. For this reason, it is always important to keep our docker images up-to-date and to create automation for security updates.

Also see: What is Cloud Security?

e. Close unused ports

Ports opened for testing (like SSH) or for which the purpose of use has not been determined should be closed in the production environment.

f. Do not use hardcoded credentials

Hardcoded credentials (API keys, AWS credentials, etc.) are always a problem for security posture, and always an open door for attackers. Your docker images should not contain any hardcoded credentials related to any environment (dev, test, prod, etc.). You should get credentials from the configuration via environment variables (with the -e option) or using a secret manager configuration.

g. Scan your docker environment regularly

For docker container environments, regular vulnerability scanning and vulnerability detection are highly important to ensure there is no breach in the progress or an opportunity for an attacker to sneak in. There are lots of open-source tools for Docker containers. Scanning tools are easy to use, and they include the database of Common Vulnerabilities and Exposures (CVE), Center for Internet Security (CIS) to detect.

4. Docker-Vulnerability Scan

Here are some examples of docker vulnerability scanning tools that can be used:

a. Docker Bench for Security

This security tool is based on CIS Docker Benchmarks for all automated scans. Scans could be done with a docker image or a shell script. Scan results include vulnerabilities related to the host configuration, docker daemon configuration and files, container images and build files, container runtime, Docker security operations, and Docker swarm configurations.

b. Scan on Push: AWS ECR

AWS Elastic Container Registry (ECR) is a service that manages the container registry for storing and deploying container images. If you’re managing your user docker images with AWS ECR, you could scan your images which help to improve the security of your application’s container images. Additionally, you could enable the “scans on push” feature for your repositories to ensure every image is automatically vulnerability scanned.

What is AWS Elastic Container Registry (ECR)?

AWS Elastic Container Registry (ECR) is a service that manages the container registry for storing, and deploys container images.

c. Trivy

Trivy is an open-source vulnerability scanner for your docker images announced by Aqua Security. In addition to docker images, Trivy can scan your filesystems and git repositories for you. It could detect vulnerabilities in minutes and is suitable for CI & CD processes.

Conclusion

In Part 1, “Secure Your Docker Containers: Tips and Challenges”, of our blog series, we have talked about Docker technology and why Docker is so important for the developer world. In addition, we have shared some Docker security tips that could be useful for creating a Docker file. Also, we’ve done a quick overview of some docker vulnerability scanning tools.

Docker technology has become increasingly popular in recent years for its ease of use, scalability, and flexibility. However, there are potential security challenges that need to be addressed to ensure the safety of your Docker containers. By following best security practices, such as not using hardcoded credentials, regularly scanning your Docker environment, and closing unused ports, you can significantly reduce the likelihood of a security breach.

Please join us in “Part 2 – Docker Vulnerability Scan Tools”, to review the scanning tools in detail.

Check out our Cloud Security services to stay secure!