Lead Image © Kae Horng Mau, 123RF.com

Security issues when dealing with Docker images

The Crux with Leaks

Article from ADMIN 39/2017

By Nils Magnus

Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.

Docker Hub is easy for users, and the docker command-line tool can directly tap into it. You can easily pick up prebuilt images for CMS, databases, or distributions and import them into your local infrastructure. But what guarantees do users have that the software running in the container is also free of vulnerabilities?

Threat Modeling

To start, you need to distinguish between threats; security experts refer to this as a threat model. In this case, there are three threat scenarios:

The manufacturer embeds malicious code and offers infected images.
Attackers tamper with the software en route from the manufacturer to the user.
The manufacturer fails to eliminate known security vulnerabilities in its images.

Users need to select software vendors they trust for effective protection against the first case. Well-known and reputable companies would be reluctant to compromise their reputations, but a distant dubious download service should inspire some skepticism. Finding out who actually offers an image on the Docker Hub is important, because potentially anyone could upload it. Docker, Inc. [1] does not check uploads and typically leaves this responsibility to the user.

A good image usually contains a note on its build instructions – the docker file . Repository sites such as GitHub typically host these descriptions and let you download them. Thus, every user can reconstruct how an image was created. Of course, a review of this kind takes time, but it is worthwhile if the image in question will be playing a central role in your own infrastructure. Examples of this would be, for example, basic images for a Java application server or a preconfigured CMS in a container.