I love containers. You love containers. We all love containers. But is our love for them blinding to us the fact that we often don't really know what's running within them? Snyk, an open-source security company, reports in its State of Open Source Security report 2019 that the "top ten most popular Docker images each contain at least 30 vulnerabilities."
Snyk isn't talking about security problems with container technology itself. Those problems, like the recently discovered security hole in runc, the container runtime for Docker and Kubernetes, do exist and they're as serious as a heart attack. But far more common are insecure applications within containers.
Why was this Node.js image so bad? Simple:
The current Long Term Support (LTS) version of the Node.js runtime is version 10. The image tagged with 10 (i.e.: node:10) is essentially an alias to node:10.14.2- jessie (at the time that we tested it) where jessie specifies an obsolete version of Debian that is no longer actively maintained. If you had chosen that image as a base image in your Dockerfile, you'd be exposing yourself to 582 vulnerable system libraries bundled with the image.
Snyk users, checking a wide variety of Docker images, found 44 percent of them contained known vulnerabilities
This doesn't surprise me in the least. Far too many system administrators and developers presume that everything is kosher with the first containerized application they find. In their rush to deliver an application or service as fast as possible they grab the first containerized program that comes to hand.
There's no security magic with containerized applications. If you install any container with an older version of an application, it's pretty much a lead-pipe guarantee it will contain security bugs.
It's not just Docker's official library of containerized application. Synk found 44 percent of all Docker image scans had known vulnerabilities.
While Snyk will be more than happy to help you scan your own Docker images and remediate security holes, the fundamental fix is embarrassingly easy: Make and update your own images.
Or, as Snyk puts it, the "fix can be easy if you're aware. 20 percent of images can fix vulnerabilities simply by rebuilding a docker image, 44 percent by swapping the base image."
Snyk isn't digging up zero day security bugs. It's just scanning for known Linux library vulnerabilities.
Snyk provides a really helpful tool. I recommend it. But if you use developer 101 security thinking with your containerized applications -- patch your programs to fix known security bugs -- you'll do just fine.
If you don't? Well, crooks will thank you, but your company executives certainly won't.