On Tuesday, container platform Docker announced a new feature called Docker Security Scanning. The tool, previously codenamed Project Nautilus, performs an analysis of a container image to determine if there are any vulnerable components inside the image.
Nathan McCauley, director of security for Docker, said that potential examples of what Security Scanning would look for are outdated packages, compromised packages, and recently released vulnerabilities. McCauley said that the new feature is part of Docker’s effort to support workflows that allow users to quickly patch and update their production infrastructure.
SEE: Cloud and container market analysis: Q3 2015 (Tech Pro Research)
Docker Security Scanning is now available as a limited time free trial for three months where Docker cloud users will be able to scan their private repos for vulnerable components. It will eventually come to the company’s on-premises component, Docker Datacenter, sometime in 2016. Docker has been running Security Scanning on official repos for the past six months and has secured over 400 million pulls.
In addition to rolling out Docker Security Scanning, Docker also updated the Docker Bench for Security, a tool to check a host configuration that audits your host against specific recommendations. Docker Bench now aligns with the Center for Internet Security’s Benchmark for Docker Engine 1.11.
Both announcements play into Docker’s three-step security plan of secure platform, secure access, and secure content, which it refers to as securing the “software supply chain.”
The secure platform includes specifications such as using all Linux isolation capabilities, and making it secure from default. Secure access deals with the “who” of containers, regarding security best practices around authentication, authorization, access control, and auditing. This is where the Docker 1.8 update came into play in late 2015, introducing features such as Docker Content Trust which allows a user to verify the publisher of a specific container image. And, it is the tier that this latest announcement falls into as well.
To determine potential vulnerabilities, Docker Security Scanning provides a deep analysis of the containers in question.
“It actually does a binary by binary analysis of a container just to look at everything that it can find inside of each of the layers of the container,” McCauley said.
It then generates a list, called build materials, of all the components inside a container. That list is then cross-referenced against databases of known vulnerable software. Anytime a new vulnerability comes out, users get a notification that a software patch is needed. Users are also alerted if developers are building on top of insecure libraries, so the problem can be fixed before it’s rolled out into the infrastructure.
SEE: Docker announces Container-as-a-Service to bridge the DevOps gap (TechRepublic)
Containers are one of the go-to tools for DevOps practitioners and Docker knows this. The additional security features are slated to help “Marry the needs of developers and IT operations,” McCauley said, as they enable quick and safe deployment of apps for developers and proactive risk management for operations.
One added benefit could be the increased appeal to the enterprise brought by the new security features. Docker adoption has been steady, but upping the ante on security could help anchor the firm as the go-to enterprise solution for containers.
The 3 big takeaways for TechRepublic readers
- 1. Docker announced Security Scanning, a new service that scans container images to see if any of their components contain known security vulnerabilities.
- 2. Docker also updated Docker Bench, which checks a user’s host configuration. Docker is hoping to secure and manage the entire lifecycle of a containerized application.
- 3. Docker’s plan for secure platform, access, and content shows that the company is trying to win more fans among the DevOps crowd, and keep itself in good standing with enterprise customers.