Container Images: The Next Software Supply Chain Concern? 

Containers not only provide a mechanism for packaging code in deployable and manageable units, but containers are also a downloadable resource that can speed up infrastructure and app configurations, rapidly creating development environments and deploying code to test and production. Several container libraries are available; Docker Hub is one of the most prominent and widely used. Docker Hub provides official container images that are reviewed and published by the Docker Library Project. Independent software vendors (ISVs) also make use of the Docker Verified Publisher Program and code signing is also available to validate container image publishers. 

The recent 2022 Sysdig Cloud-Native Threat Report explored the threat of malicious code hiding inside preconfigured and shared container images. The Sysdig Threat Research Team (TRT) performed an automated analysis of over 250,000 Linux container images available in Docker Hub. The report found 1,777 images that were identified as malicious. The malicious image issues included embedded secrets, proxy avoidance and malicious websites, with cryptomining as the most frequently found issue. SSH and API keys, which can be used by hackers to gain unauthorized access, were also present in images. 

Is malicious code in container images something new? No—we’ve seen situations very similar going back to the early days of virtual disk images (VDMKs), which are still in use today. We’ve had over a decade of experience scanning and validating virtual images and most of that experience is applicable to making sure we don’t use container images with malicious content. But there are differences in today’s DevOps-driven, cloud-native world.

We must recognize that software, at all layers of the application and infrastructure stack, changes frequently, through new code and updates to existing software, from both third-party sources and internal changes from our own software teams. The velocity of change is rapidly increasing, reducing the benefits of point-in-time vulnerability and malware scanning. A DevOps, cloud-native approach necessitates that security, including container images, be automated as part of the DevOps workflow pipeline, understanding that change occurs frequently through the creation, testing and deployment of microservices and containerized bits of code. Automation is essential as part of the DevOps workflow pipeline and is critical to delivering secure applications, infrastructure and infrastructure-as-code (IaC).

If you’d like to hear more about container image security, check out Techstrong Research Review, Episode 2. 

 

 

Mitch Ashley

Mitchell Ashley is a renowned strategist, speaker, advisor and technology executive. Mitch has led successful IT, SaaS, cloud and cybersecurity transformations. He’s led multiple teams in developing and bringing to market successful online services, cybersecurity, software and networking products and services. Mitch serves as principal at Techstrong Research where he is part of a team of preeminent experts in digital transformation, DevOps, cloud-native, cybersecurity, data and AI/ML. In this role, he works with companies to align digital transformation and technology strategies to achieve disruptive goals and high-impact outcomes. Mitch also serves as Techstrong Group CTO, is in demand as a speaker and is widely followed online on his podcasts, Analyst Corner commentary and interviews on the highly popular Techstrong TV streaming video program where he engages with top digital and tech leaders from across the industry.

Mitch Ashley has 10 posts and counting. See all posts by Mitch Ashley