How secure are your containerized apps?

Containers are only as secure as their contents.

The reason Docker went open source At the Structure Conference in San Francisco, Docker COO Scott Johnston spoke to ZDNet about why Docker made a strategic bet on making its product open source.

I love containers. You love containers. We all love containers. But is our love for them blinding to us the fact that we often don't really know what's running within them?  Snyk, an open-source security company, reports in its State of Open Source Security report 2019 that the "top ten most popular Docker images each contain at least 30 vulnerabilities."

Snyk isn't talking about security problems with container technology itself. Those problems, like the recently discovered security hole in runc, the container runtime for Docker and Kubernetes, do exist and they're as serious as a heart attack. But far more common are insecure applications within containers.

Using Snyk's container security scanning command-line tool, the company found in every scanned Docker image vulnerable versions of system libraries and other security problems. For example, the official Node.js image, the popular JavaScript-based platform for server-side and networking applications, ships with 580 vulnerable system libraries. While Node.js was by far the worst, even the best of these popular applications had at least 30 publicly-known vulnerabilities.

Why was this Node.js image so bad? Simple: 

The current Long Term Support (LTS) version of the Node.js runtime is version 10. The image tagged with 10 (i.e.: node:10) is essentially an alias to node:10.14.2- jessie (at the time that we tested it) where jessie specifies an obsolete version of Debian that is no longer actively maintained. If you had chosen that image as a base image in your Dockerfile, you'd be exposing yourself to 582 vulnerable system libraries bundled with the image.

Ouch!

Snyk users, checking a wide variety of Docker images, found 44 percent of them contained  known vulnerabilities

This doesn't surprise me in the least. Far too many system administrators and developers presume that everything is kosher with the first containerized application they find. In their rush to deliver an application or service as fast as possible they grab the first containerized program that comes to hand.

Big mistake.

There's no security magic with containerized applications. If you install any container with an older version of an application, it's pretty much a lead-pipe guarantee it will contain security bugs.

It's not just Docker's official library of containerized application. Synk found 44 percent of all Docker image scans had known vulnerabilities.

While Snyk will be more than happy to help you scan your own Docker images and remediate security holes, the fundamental fix is embarrassingly easy: Make and update your own images.

Or, as Snyk puts it, the "fix can be easy if you're aware. 20 percent of images can fix vulnerabilities simply by rebuilding a docker image, 44 percent by swapping the base image."

Snyk isn't digging up zero day security bugs. It's just scanning for known Linux library vulnerabilities.

Snyk provides a really helpful tool. I recommend it. But if you use developer 101 security thinking with your containerized applications -- patch your programs to fix known security bugs -- you'll do just fine.

If you don't? Well, crooks will thank you, but your company executives certainly won't.

Related Stories: