agsandrew - Fotolia
Speaking to Computer Weekly about the attack surface of containers such as Docker, Gavin Millard, technical director at Tenable, said most organisation don’t even realise they are running containers.
“They don’t think there is an issue because they don’t know about it. One of the problems with containers is that IT ops can deploy infrastructure very quickly as they are utilised by DevOps,” he said.
While DevOps enables teams to create code and the IT environment needed to run their applications very quickly, Millard said the code may not be as secure as it should be.
“One of the drawbacks of DevOps is that the IT is no longer predictable; it is ephemeral,” he added.
While IT is already struggling to cope with software risks in applications developed in the traditional way, DevOps exposes more holes.
Millard cited the example of when developers take a Docker base image to build their application – effectively a snapshot image of the container. The developer keeps it offline and adds their applications. “The risk occurs when there is a vulnerability in the container,” said Millard.
According to Tenable’s research, current Docker containers do have some vulnerabilities. But the bigger problem is with community images on the Docker store, warned Millard, because “Dockerised applications can contain old current vulnerabilities”.
“We took the top 6,000 images and assessed them for vulnerabilities. On average, the vulnerability count in the official Docker images was 16. But the average in community images was 40,” he said.
Read more about Docker security
- Linux container security less vexing for enterprises that say containerisation has improved their IT security posture.
- Operation teams are always concerned about software vulnerabilities, but at DockerCon 2016, suppliers were working hard to allay those Docker security concerns.
When it looked at the vulnerabilities in the official images, Tenable identified three-quarters of the risks as “high”. In contrast, 34% of the risks identified in community Docker images were found to be “critical”.
Of the 6,000 images it assessed, Millard said 59 had the Shellshock flaw, while 359 contained the Heartbleed bug. “The problem is that these vulnerabilities are critical and old, which means exploit kits are readily available,” he said.
One of the big security issues facing DevOps, according to Millard, is that software is not being kept up to date. “Policy can be defined and governance can be added to identify vulnerabilities, but people have to follow process and organisations need to define a robust process that adds governance into containers,” he said.