Container Security Stepping Up to the Plate

by Paul Rubens

The recent launch of Docker Security Scanning is just the latest sign that the security ecosystem around containers is getting stronger by the week.

It's a measure of a technology platform's maturity when there's a widespread ecosystem of security software built around it.

So it's highly significant that Docker announced the launch in mid-May of Docker Security Scanning (DSS). Virtually Speaking The service, formerly known as Project Nautilus, provides an element of security for Docker images in Docker Cloud private repositories and for official repos in Docker Hub.

Docker also announced an update to Docker Bench, which automates checking host configurations against benchmark best practice recommendations from the Center for Internet Security.

It's all part of a drive to make containers more secure, although they won't exactly be eliminating the need for virtual machines anytime in the foreseeable future, says Nathan McCauley, Docker's security director.

"I think that we will still be thinking about virtual machines and containers in the long run," McCauley says. "But isolation will improve in container runtimes so they become closer and closer to virtual machines."

He also says the emphasis of container security will be to protect containers from remote attackers, and isolation features will make applications more secure.

"But if folks are concerned about protecting (container) hosts from containers, that's where containers and VMs will work together," he adds.

Docker Security Scanning's Approach to Container Security

Back to DSS then. Essentially the way it works is this.

When you push a new image into a repository, this triggers a scan of the image. What happens first is the scanner service separates the image into its respective layers and components, after which it does a binary level scan of the contents of each package (to ensure that they are indeed what they claim to be).

Then the package name and version information and the binary level scans are sent to a CVE scanning validation service to check (against multiple CVE databases) whether any of the software has known security vulnerabilities that could be exploited.

A Bill of Materials (BOM) that lists all the layers and components in the image is stored in a database, and if any vulnerabilities are identified a notification is sent to the image's owner or publisher.

Whenever new vulnerabilities are discovered the BOM database is checked to see if any previously secure images are now vulnerable, and if so new notifications are again sent out.

It's a service that is definitely welcome, and if it sounds familiar that's probably because it is similar to a security offering from Twistlock, one of the pioneers of container security software.

"Twistlock has a number of scanning products: some overlap (with DSS functionality), while some are complementary solutions," says McCauley.

But it will be reassuring to many Docker users that Docker is providing a security service like this — after all, who knows the workings of Docker better than Docker itself?

It was that kind of argument that accounts for some of the popularity of Microsoft's security solutions, such as its free Microsoft Essentials anti-virus product. (But, perhaps worryingly, it turns out that Microsoft Essentials is actually not as good at catching viruses as some specialist anti-virus vendors' products.)

Comparing DSS and Twistlock When It Comes to Container Security

So what are the differences between DSS and Twistlock's software? According to Chenxi Wang, Twistlock's Chief Strategy Officer, Twistlock's image scanning goes a great deal further than Docker Security Scanning in a number of ways.

She says the main differences between DSS and Twistlock are these:

  • Entry point: Dr Wang says Twistlock comes in to play earlier in an image's lifecycle. "We can scan vulnerabilities for an image on developer workstations, in a registry, or on a host being deployed. DSS is a dev-time only mechanism, focusing on detecting vulnerabilities for registry images only," she says.
  • Coverage: "Out of the box, Twistlock supports Docker hub, Docker Trusted Registry, Artifactory, AWS Elastic Container Registry (ECR), Google Container Registry, and Nexus registry," Dr Wang says. By contrast, DSS only scans proprietary repos in the Docker hub (although support for Docker Datacenter has been promised "soon.")
  • Malware scanning: DSS today only scans for vulnerabilities. Twistlock scans for vulnerabilities and malware.
  • Custom scanning rules: DSS does not allow custom scanning rules — which means it can't support custom-developed code beyond common open source libraries, according to Dr Wang. "We support both, (so) customers can upload custom-scanning rules to Twistlock and scan their custom-developed code as well as open source libraries," she says.

Whatever the differences, the launch of DSS is a welcome one, and certainly indicates at least one key point: the security ecosystem around containers is getting stronger every week.

Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.

Follow ServerWatch on Twitter and on Facebook

This article was originally published on Thursday Jul 7th 2016
Mobile Site | Full Site