The key to keeping containers secure is to think about the software running inside them, not just the software that hosts them. That’s the message Black Duck Software is aiming to send as adoption of container software increases.
In a discussion with Container Journal about container security, Black Duck said that “increasing container security means increasing the security of the applications deployed in containers.”
The company added, “Secure container frameworks are also obviously critical, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”
In other words, securing just Docker alone and the other components of your container stack—such as the container registry, host server and orchestrator—is not sufficient on its own to keep data safe. Black Duck warns admins that they also should pay close attention to the code hosted inside the containers they use.
“Unless an organization is aware that a vulnerable open-source component is included in its containers, it’s highly probable that component will remain unpatched,” the company said. “But many companies remain poorly informed about the amount of open source they’re using, and blind to the vulnerabilities that may be in that open source.”
The Holistic Container Security Challenge
Black Duck sells tools designed to scan open-source software for security vulnerabilities and other problems, so warning Docker users to secure the code inside their containers is an obvious thing for the company to do—especially because open-source apps are popular within the Docker ecosystem.
Plus, scanning application code for vulnerabilities is important no matter how you are running the applications, whether it is on bare metal, in virtual machines or inside containers. In this respect, the point Black Duck is making is not a very novel point.
Still, the danger of unsecure application code is especially easy to overlook when planning for a secure container deployment. Docker is a newish and exciting technology, and security tools designed to harden your Docker software stack against cyberattacks are just now emerging. They’re the first place most admins will look when they think about Docker security.
But as with any type of infrastructure, you also need to secure the actual software you are hosting. Otherwise, even the best-designed Docker environment could let attackers in.