The concept of containerization has become massively popular since Google started perfecting it a decade or so ago. Containers, led by the ubiquitous Docker, add flexibility to development by making it possible to scale and deploy applications around different work environments with improved consistency. This increased portability coupled with the reduced overhead costs affirms that containers are the future of application deployment.
Common Container Security Challenges
A lot has been said about the benefits of containers in application deployment. DevOps experts agree that more than just a buzzword, containerization offers an excellent way to deploy and manage modern microservices-based applications.
But like any other new technology in the application development environment, containers present another potential avenue for security issues or vulnerabilities. This is where the need for an open-source vulnerability scanner comes in. We’ll talk about these tools in a minute. For now, let’s discuss some of the common container vulnerabilities to beware of if you’re planning to embrace this trendy technology.
1. Container Image Vulnerabilities
Containers are created from a set of files known as images. Images are unchangeable and static files comprising executable code that allow developers to run the images on IT infrastructures. Each image contains the system libraries and tools it needs to run in a containerized platform, such as Docker.
Users can manually create their images from scratch and run them, but this takes longer. The most preferred option is to pull publicly available images from registries, such as Docker Hub. When adopting existing images, it’s recommendable to ensure that they are from trustworthy sources. You should beware of malicious, corrupted, and fake container images used to propagate malware that’s used to infiltrate your kernel host and seize its control.
In this type of vulnerability, the attacker uses a malicious script to access and hijack computational resources. The stolen info is later used to mine cryptocurrencies and sensitive credentials, launch phishing campaigns, carry out DoS attacks, and many more.
The first container cryptojacking attack occurred around September 2019 and was found to spread via malicious Docker images. In this attack, Unit 42 alerted Docker of a worm dubbed Graboid used to infect compromised hosts with malware that mines privacy-focused cryptocurrency. By the time Docker removed the affected images from its registries, the malware had already spread to over 2000 hosts.
Reports from other similar attacks show that malicious actors actively scan the internet for vulnerable hosts using compromised images.
3. Privilege Escalation Flaws
In container development, a privilege escalation vulnerability is a security flaw that allows would-be attackers a higher level of access into the application system than intended by the administrator. Malicious actors view these security issues as low hanging fruits as they can be used to bypass other critical boundaries, including accessing the kernel.
Runc is one of the most targeted container components in privilege escalation attacks. In a recent episode, containers with privilege escalation errors allowed cyber attackers to access the hosts.
What Can Be Done? Container Security Best Practices
When it comes to Docker container security issues, prevention is always better than remediation. Here are a few key tips on how to protect your business from cybercrime.
i) Have an Open-Source Vulnerability Scanner in Place
As the name implies, an open-source vulnerability scanner is a tool that helps you identify any security risks emanating from the use of open-source software. A reliable vulnerability scanner will ideally scan your software for all the open-source components in its codebase. Secondly, it will go through all the open-source licenses to verify that they align with your organization’s policies, which is great for legal reasons. Lastly, the scanner will scan for any vulnerabilities. It should also suggest the best fix for the vulnerability. Here are the top reasons why businesses are investing heavily in open-source vulnerability scanner tools.
ii) Say No to Root Docker Containers
As you may already know, Docker containers are configured to run as root by default. This means that any process running in the container is running as root on the host too. This may not be a big deal if you mainly use Docker to test your applications. Actually, it adds a lot of conveniences because you won’t have tons of permission settings to deal with.
However, running your containers as root presents a severe security risk during production. If a malicious user can penetrate the application, he might also access the host to cause further damage. Access through a rooted container is even easier if the container has incorrect flags.
There are several ways of fixing this issue. You can:
- Add a non-root user command to Dockerfile.
- Add SecurityContext settings to a pod to prevent non-root users from executing the pod.
- If you’re running Kubernetes orchestration, use K8 pod security policy.
iii) Set Up a Private Docker Container Registry
A Docker container registry is a server-side repository where you store the images created during application development. Other items you can store in a registry include control parameters and application programming interface (API) paths.
Container registries can be public or private. A public registry is relatively basic in features and generally easy to use. But it will serve the purpose if your organization is new and small.
As your business expands and security concerns begin piling up, you may want to switch to a private container registry. Besides keeping your store confidential, a private container image registry offers you control over who can access the stored images. It also allows you to scan the images for vulnerabilities and even patch whenever necessary.
iv) Keep Your Images Small and Clean
The significant advantage that containers have over VM is their small size. Their lean nature, not all boosts their portability, but it also reduces your workload’s attack surface.
Here are several secrets for creating small Docker images:
- Ensure that you’re pulling parent images with the lowest footprint possible.
- Optimize your images using Dockerfile and .dockerignore.
- Utilize the Docker multi-stage build feature. This will help eliminate excess artifacts as you move from one layer of your images to the next.