NOTE: This is the first part of a blog series.
Part 1: - Introduction to Docker, Security Best Practices and scans
We will talk about one of the most popular technologies, Docker, and Docker security considerations. Creating a secure Docker image could be tricky and complicated in some cases. We aim to provide a security roadmap on Docker technology. This roadmap will include topics such as best security practices, open-source vulnerability scanning tools, and Qualys Docker scanning on AWS ECR.
In the 1st part of our blog series, we will be talking about docker technology in detail. “What is docker? Why is docker so popular these days? What are the related challenges?” We will also provide some best security practices for your docker images to use in your development process. We will emphasize the importance of regular vulnerability scanning in the development process. In addition, we will summarize some Docker vulnerability scanning tools for you.
In parts 2 and 3, we will be talking about Docker vulnerability tools in detail where all usage and installation steps will be explained. Let’s start!
Part 1: Introduction to Docker, Security Best Practices and scans
- Docker Vulnerability Scan Overview & Importance
- Docker Vulnerability Scan Tools in Detail
- Docker Bench for Security
- AWS ECR
- Login to the Qualys
- Download the QualysContainerSensor.tar.xz file
- Download the container sensor.
- Sensor package operations
- Push the Qualys sensor image to an AWS ECR repository.
- Modify the cssensor AWS ECS JSON file
- Import the JSON file
- Task execution IAM role configurations
- Select the AWS Cluster
- Select the task definition
- Create task definition
- Final Qualys Container Security module
Let's talk about two different problems that we can all experience during the development process. The first case would be when you would have a program that works successfully in a development environment but it would not be working in the production. When you identify the root cause, it will point at the library and dependency differences between the two environments. How can you fix this every time?
The second case would be when you would have two different programs that work with different versions of libraries. How can you manage applications that could work with different versions? How can you easily solve security issues? Docker is the answer to all of these questions. Docker allows programs to run independently from each other. Docker is a tool to make it easy to create, deploy and run applications using container technology. By using a Docker, a program is transferred and runs quickly and reliably from one computer to another. To explain more clearly, we will provide information about some docker terms below:
A Docker image is a read-only template. An image might include an Ubuntu operating system along with Apache and your web application. Docker containers are made up of images. Docker makes it easier to generate new files or upgrade old ones, and you can even import Docker images made by others.
Docker Registry: Docker images are stored in registries. You can upload or import images from these public or private store registries. It provides access to a large library of pre-existing images for your use. There may be images you make yourself or images that have already been made by others. Docker registries are the platform's distribution component.
Docker containers are similar to directories. A Docker container includes all of the components needed to operate an app. A Docker image is used to create each container. Containers in Docker can be started, stopped, transferred, and removed. Each container serves as a separate and stable application platform. Docker containers are Docker's most important component.
Docker technology has many advantages over traditional methods. These advantages make Docker popular for companies and developers. When you start developing a new application, it is useful to consider the advantages of using a Docker:
- Ease of use
- Fast software delivery
Despite the popularity of Docker, most software developers avoid using it because they think docker security is weak. Docker containers include code binaries, configuration files, related dependencies, host environment, and network configurations. Each of these could cause an attack surface. For example, a vulnerability in an old library poses a threat to the entire docker container. Since there are so many different technologies in Docker containers, security management could be complicated.
At first glance, we have listed some docker security practices for your docker images:
According to research, 58% of docker images are built and run with root permissions. Root user privileges in systems create an attack surface for attackers. The attacker has access to all data and can directly control the hardware. Therefore, the docker process must be executed by the user that will be created with the least privileges. As an example, a user definition is created below:
FROM ubuntu:20.04 RUN apt-get update -y && \ apt-get install -y python3-pip python3-dev USER test CMD test test.py
When creating Docker images, you should define your base image with the “FROM” term. You should select and pull your base docker images carefully. Selecting unknown or untrusted docker images for base causes transferring all security vulnerabilities and problems in the image to the container system. That’s why you should pull your base docker images only from the trusted repositories. You should check checksums and digital signatures to verify the authenticity and integrity of pulled base docker images. The best solution for trusted base images is building your base images.
To ensure your docker data integrity and docker content trust, Docker images should be digitally signed and verified on runtime. For this, one of the popular tools, Notary, could be used. With the ocker sign mechanism, users can be sure that the docker image data they’re downloading is what we have created.
We come across hundreds of CVEs related to both the operating system and libraries every day. It is quite normal for most of these to be found in our docker images related to the operating system, old packages, etc. For this reason, it is always important to keep our docker images up-to-date and to create automation for security updates.
Ports opened for testing (like SSH) or which the purpose of use has not been determined should be closed in the production environment.
Hardcoded credentials (API keys, AWS credentials, etc.) are always a problem for security posture, always an open door for attackers. Your docker images should not contain any hardcoded credentials related to any environment (dev, test, prod, etc.). You should get credentials from configuration via environment variables (with -e option) or using a secret manager configuration.
For docker container environments, regular vulnerability scanning and vulnerability detection are highly important to ensure there is no breach in the progress or an opportunity for an attacker to sneak in. There are lots of open-source tools for Docker containers. Scanning tools are easy to use, and they include the database of Common Vulnerabilities and Exposures (CVE), Center for Internet Security (CIS) to detect.
Here are some examples of docker vulnerability scanning tools that can be used:
This security tool is based on CIS Docker Benchmarks for all automated scans. Scans could be done with a docker image or a shell script. Scan results include vulnerabilities related to the host configuration, docker daemon configuration and files, container images and build files, container runtime, Docker security operations, and Docker swarm configurations.
AWS Elastic Container Registry (ECR) is a service that manages the container registry for storing, and deploys container images. If you’re managing your user docker images with AWS ECR, you could scan your images that help to improve the security of your application’s container images. Additionally, you could enable the “scans on push” feature for your repositories to ensure every image is automatically vulnerability scan.
AWS Elastic Container Registry (ECR) is a service that manages the container registry for storing, and deploys container images.
Trivy is an open-source vulnerability scanner for your docker images announced by Aqua Security. In addition to docker images, Trivy can scan your filesystems and git repositories for you. It could detect vulnerabilities in minutes and suitable for CI & CD processes.
In Part 1, “Secure Your Docker Containers: Tips and Challenges”, of our blog series, we have talked about Docker technology and why docker is so important for the developer world. In addition, we have shared some Docker security tips that could be useful for creating a Docker file. Also, we’ve done a quick overview of some docker vulnerability scanning tools.
Please join us in “Part 2 - Docker Vulnerability Scan Tools”, to review the scanning tools in detail.