Henrik Dolle - Fotolia
IT administrators can address containers' inherent security vulnerabilities with the help of a Docker security checklist that includes authentic Docker images and implementing container security tools.
Many IT professionals consider containers a truly isolated and secure technology, but Docker contains potential security vulnerabilities. The Common Vulnerabilities and Exposures (CVE) program, which the Mitre Corporation launched in 1999, catalogs software's known cybersecurity vulnerabilities. The CVE program provides a database of Docker vulnerabilities and categorizes them with a number and description through 2020.
According to the CVE Details webpage, a gain privileges attack is the most prevalent Docker risk. This attack uses a Trojan horse docker-credential-wincred.exe file to gain unauthorized access to data. These security vulnerabilities remain prevalent to Docker, and admins must think about security from the perspective of the systems under their control.
Docker security risks admins must address
The Mitre CVE database reported 59 security notices from 2020. For example, notice CVE-2020-7606 revealed a potential attack vector if admins use the docker-compose-remote-api command. The CVE notice includes a detailed explanation of the vulnerability and how to mitigate the risk.
Docker images for admins' applications also pose a risk. Whenever admins download a Docker image, it's their responsibility to know which applications -- and which versions -- the Docker image contains. It's possible that a vulnerability from a database or a web server could put admins' network at risk if it were to run in a container.
Network endpoints represent another threat vector for Docker containers. The best way to identify potential network-related issues is to test a container with image scanning tools such as Docker Hub, Red Hat's Quay, VMware's Clair and Covalent's Cilium in a sandbox setup.
Docker security checklist to mitigate container security risks
Admins can use a list of best practices to plan and execute a Docker security strategy, as well as ensure their efforts are successful in the long term.
- Use least privilege access. Least privilege access should be at the top of any security best practice list, and the same goes for Docker security. Cybercriminals can use gain privileges to target sensitive system data and implement corrupt code. Never give a container more privilege than required to accomplish a specific task. If a container requires elevated privileges, then admins should use an account with privileges that only support the task at hand. Admins should also carry the use of least privilege access over to the development process so applications aren't pushed to production with inherent security risks.
- Implement security testing tools. Any security-conscious development effort should include testing. Docker Bench for Security is a script that uses the Center for Internet Security (CIS) Docker Benchmarks to scan containers for vulnerabilities. CIS recommends admins harden their container software with security tools to prevent any attacks at the host level. CIS offers a free PDF copy of their benchmarks with detailed security testing for both Docker and mainstream OSes.
- Ensure proper configuration management. Developers must know the contents of a specific container right down to any potential vulnerabilities. Successful Docker image configuration management helps keep track of containers and their contents in the event developers must remove unknown container sources.
- Verify Docker image authenticity. Docker images that pull from unknown repositories can contain malicious code. Prior to Docker image implementation, admins can use Docker Content Trust to pull validated and authentic images from repositories. Having a security-first mindset as a part of any combined DevOps workflow sets the tone to minimize potential threats.
- Select minimal base images. Many Docker images often have large system libraries that contain numerous vulnerabilities. Admins can reduce the number of vulnerabilities introduced to a container if they limit the size of their base images to include only the tools their system requires.