People worry about how secure containers are to outside attackers. That’s a legitimate fear. I think what’s even more of a concern is whether the application within your container is secure, or if it’s really what you think it is.
Docker‘s answer to this is Docker Security Scanning. This is an opt-in service for Docker Cloud private repo plans that provides a security assessment of the software included in container images. The service offers detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security across the entire software supply chain. Docker Security Scanning provides binary-level scanning, generating a detailed security profile for each Docker image, including details that allow IT operations to assess if the software meets security compliance standards. Docker claims this service works seamlessly with existing dev and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment.
Docker Security Scanning works across any application and across all major Linux distributions. This enables the program to be used in a Containers as a Service (CaaS) workflow that improves an organization’s security posture through central IT managed secure content.
This new service also includes an update to Docker Bench. This automates validating a host’s configuration against the CIS Benchmark recommendations. With this update, Docker users can implement recommendations from the latest CIS Docker Benchmark to ensure that their platform is configured to be in-line with the best practices outlined for Docker Engine 1.11.
“We’ve made it our goal to secure the global software supply chain from development, test to production,” said Nathan McCauley, Docker’s Director of Security in a statement. “As with all of Docker’s tooling, Docker Security Scanning works as an integrated component without any disruption to developer productivity. In fact,” McCauley claims, “Docker Security Scanning enables developers to accelerate their workflows while providing greater visibility into the Docker images they choose to run in their environment. In turn, with usable security capabilities and granular control, IT operations is able to flexibly configure the security policies needed to safeguard their infrastructure.”
System administrators using Docker Security Scanning are presented in a Bill of Materials (BOM). This contains the details of the image layers and components, along with the security profile of each component. Besides helping sysadmins, this allows Independent Software Vendors (ISV) to make informed decisions regarding that content based on their respective security policies. With this information, ISVs can actively fix vulnerabilities to maintain a high-quality security profiles that they can then transparently expose to end users. Meanwhile, app teams can decide if they want to use an ISV image based on the displayed profile and flexibly use Security Scanning to check the additional code before deciding to deploy.
Besides improving container content integrity, Security Scanning streamlines ongoing operations by automating the cumbersome aspects of maintaining software compliance. Previously, IT operations would have to rely on the information published by each ISV on the state of their content to the CVE (Common Vulnerability and Exposures) databases and have to manually monitor the CVE databases for any issues. Docker Security Scanning automates this process and enables IT to address issues quickly.
Docker Security Scanning is available now to Docker Cloud users with a private repo plan. By the end of the third quarter of 2016 , it will include all Docker Cloud repo users. Pricing begins at $2 per repo as an add-on service for private repo plans. Docker Security Scanning will also be available as an integrated feature in Docker Datacenter during the second half of 2016. At first, if you do the off-the-cuff math, this may sound quite expensive. What you need to do is not to look at the ongoing cost, but at how much you’ll save from both not needing to audit the software in every container and having automatic tracking of CVE issues.