Docker Hardens Application And Workflow Security With Latest Release
Docker, looking to further strengthen its security chops, released Tuesday a version of its container runtime and platform that implements several features to eliminate application-level vulnerabilities and proactively manage risk throughout the development process.
Among the additions, Docker 1.11 introduces Security Scanning, a tool enabling a bottom-up analysis of all code in the container image that can keep security gaps from being deployed into production environments, said Nathan McCauley, Docker's director of security.
"The general goal is to help organizations with the problem of known vulnerable software within their images," McCauley told CRN. "We're really focused on secure content."
[Related: RightScale 2016 State Of The Cloud Report: A Look Inside The DevOps Revolution]
Security has been raised as a potential liability with Docker's container standard, and recent upgrades to the platform have made strides to harden containers and the process of deploying them throughout the software development process and supply chain.
Docker Inc., the San Francisco-based commercial entity behind the open-source software, follows a typically two-month release cadence. The previous release, Version 1.10, introduced a feature that allowed configuration of privileges that were behind root-level vulnerabilities.
The latest release updates Docker Bench, a script that implements best security practices, with guidelines from the Center for Internet Security.
The Security Scanning service was designed to integrate the solution across the development and operational workflow. Images can be signed by "trusted signers," McCauley said, and "no untrusted code can even enter the workflow."
"If a new vulnerability gets added, that triggers an update in the Security Scanning solution that will send a notification to the owner of any image that is vulnerable," McCauley said.
In that eventuality, the workflow goes back to the developers, who can rebuild and rescan the image, check if the vulnerability has been remediated, and then deploy the application.
Security Scanning will be available for a while on a free-trial basis for customers of the Docker Cloud repository, and will soon be integrated into Docker Datacenter, a Container-as-a-Service suite.
McCauley said there are two fundamental questions to ask when considering container security: Who created the container, and are there any vulnerable software components inside the container?
The new features address both, imparting a sense of ownership on the process that facilitates the creativity of developers, he said.
Docker 1.11 also focused on a secure platform by adding support within Docker Engine to every containment feature -- there are 12 of them -- available in the Linux kernel. Docker also added out-of-the-box default policies for all of those capabilities, with security features active as a default.
The new features can catch a range of vulnerabilities, from cryptographic implementation issues to bugs like Heartbleed that steal private security keys. One result of those enhancements is that applications actually become more secure once they're put into Docker containers, McCauley told CRN.