Cavirin Blog

Continuous Security Assessment for Docker

Cavirin Announces Continuous Security Assessment for Docker

Container security extends into all aspects of the container ecosystem, and not just to the well-known registries like Docker or those offered within the cloud service providers. Securing a container deployment may include best practices for companies supporting: the developer workspace, continuous integration, build automation, testing frameworks, release automation, and operations tools.

In parallel, the DevOps team is now working with a larger number of vendors, many previously unknown. This implies greater training, and those new to the container ecosystem sometimes make simple mistakes. For example, running production containers as root. There have been many articles written about Docker security concerns, with one of the best by O’Reilly, 5 Security Concerns When Using Docker. More importantly, an infographic from Container Solutions describes best practices in dealing with these concerns, while Assessing the Current State of Container Security at The New Stack provides additional background.

Any security solution must keep track of what VMs or bare-metal servers have what workloads, when they start and stop, and then apply frameworks appropriate. And it is not just a one-time analysis. The system must continually scan all images running in production, and also address the access control issues described above.

Given that developers may download public images, they must ensure that these are secure. Docker Hub may be one thing, especially when combined with Docker Security Scanning, but some unknown open-source site may expose the developer to risk, no different than when downloading laptop software from an unknown site. The Morning Paper’s article A study of security vulnerabilities on Docker Hub. provides a detailed analysis of the types of vulnerabilities found in both community and official images. A more recent analysis by Federacy states that 24% of Docker images have significant vulnerabilities.

A good approach is to use CI/CD tools to properly embed security best practices across the container lifecycle. Doing this creates a baseline that reduces the need for additional efforts and reducing the chance that security will become a barrier. And, via this baseline, IT is able to detect threats in real-time with a lower false-positive rate. This also has an effect of moving security upstream, integrated earlier in the software delivery pipeline. In DevOps-speak this is known as a shift-left.

Based on what the system detects, active remediation may include additional logging, implementing additional isolation, or even deleting the container. This must all be automated and under control of the security management platform.

Today, Cavirin is announcing continuous security assessment for the Docker lifecycle.  

Cavirin has various ways to check risk, security, and compliance of a container based application. The risk and compliance of the Docker host can be scanned against industry standards like HIPAA, PCI, SOC2, NIST, and many others. The risk and security of a host, Docker engine, and container can be checked against Docker Benchmark by Center for Internet Security (CIS). Cavirin’s implementation is certified by CIS.

Cavirin performs two types of analysis. The first, image scanning, looks at things within the Docker image such as security baselines and whether the system has been patched. Docker Benchmarks apply to the host, the containers, and a few apply to the images as well.

 

Based on the assessment, the Cavirin platform suggests remediation actions of the customer’s production Docker container environment. This includes any necessary configuration management changes, security actions, and process recommendations that are to be implemented on a continuous basis. Ultimately, Cavirin mitigates the risk of:

  • Kernel exploits

  • Compromising secrets

  • Polluted images

  • Denial-of-service attacks

  • Container breakouts

Cavirin has been in the forefront of container support, co-authoring the recently announced CIS Docker 1.13 Benchmark as well as announcing a leadership role in crafting the GCP Kubernetes Benchmark.

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.