Docker, Inc. Adds Curated Hardened Container Images to Hub
Docker, Inc., today made available a curated catalog of hardened container images that will enable application development teams to better secure their software supply chains.
Nikhil Kaul, vice president of product marketing for Docker, Inc., said Docker Hardened Images (DHI), in addition to being free of any known vulnerabilities, will also be continuously updated to remediate any future vulnerabilities that might later be discovered.
Available via Docker Hub, third-party partners that are also providing hardened container images of their software include Cloudsmith, GitLab, Grype, JFrog, Microsoft, Neo4j, NGINX, Sonatype, Sysdig and Wiz.
DHI can be deployed on Alpine Linux and Debian operating systems, with support for additional operating systems planned, said Kaul. Each curated container image has been digitally signed and complies with the Supply Chain Levels for Software Artifacts (SLSA) framework defined by Google and the Open Source Security Foundation (OpenSSF).
Additionally, application development teams can add additional container images to the DHI images they have downloaded to extend them as needed, but those images will not inherit any of the security attributes of a DHI, noted Kaul.
DHI containers, in addition to eliminating any known vulnerabilities, are also designed to prevent them from being able to run at root. Any image running at root has major security implications because if compromised, it becomes possible to take over an entire system.
Docker container images were designed to run at root, and application developers have, historically, taken advantage of that capability to make it simpler to access operating system kernels, manage network ports and mount volumes. It can also make it easier to debug applications.
However, many developers, either because they don’t understand the security implications or simply find it inconvenient, have not made the required Dockerfile adjustments when deploying container images in a production environment. Cybercriminals, in the meantime, have become more adept at scanning for container images with known vulnerabilities through which they can gain unfettered access to system administrator tools.
By addressing those issues at the time applications are being created, application developers should be able to focus more time on building software rather than cybersecurity issues, said Kaul.
Mitch Ashley, vice president and practice lead for DevOps and application development at The Futurum Group, said that it is critical because organizations can now better address a fundamental security issue at the earliest stages of the application development process. Along with partners such as Microsoft, Cloudsmitch, GitLab, JFrog, Neo4j, NGINX, Sonatype, Sysdig, and Wiz, Docker, Inc., is making it simpler to incorporate secure container images directly into DevOps pipelines, he added.
It’s not clear to what degree application developers might be able to rely solely on hardened images to build applications, but they clearly represent a step in the right direction. While a lot of progress in terms of adoption of best DevSecOps processes and hardened container images has been made in recent years, software supply chains are still vulnerable. Half the battle, of course, is just making it as simple as possible for application developers to use curated, hardened images using DockerHub versus, for example, downloading images with known vulnerabilities found on another public repository.
There may never be such a thing as a perfectly secure software supply chain, but as best DevSecOps practices become more widely adopted, the number of security issues traced back to flaws in the way software is built and deployed should continue to steadily shrink.
