 
        	    Lead Image © Kae Horng Mau, 123RF.com
Security issues when dealing with Docker images
The Crux with Leaks
Docker Hub is easy for users, and the docker command-line tool can directly tap into it. You can easily pick up prebuilt images for CMS, databases, or distributions and import them into your local infrastructure. But what guarantees do users have that the software running in the container is also free of vulnerabilities?
Threat Modeling
To start, you need to distinguish between threats; security experts refer to this as a threat model. In this case, there are three threat scenarios:
- The manufacturer embeds malicious code and offers infected images.
- Attackers tamper with the software en route from the manufacturer to the user.
- The manufacturer fails to eliminate known security vulnerabilities in its images.
Users need to select software vendors they trust for effective protection against the first case. Well-known and reputable companies would be reluctant to compromise their reputations, but a distant dubious download service should inspire some skepticism. Finding out who actually offers an image on the Docker Hub is important, because potentially anyone could upload it. Docker, Inc. [1] does not check uploads and typically leaves this responsibility to the user.
A good image usually contains a note on its build instructions – the docker file . Repository sites such as GitHub typically host these descriptions and let you download them. Thus, every user can reconstruct how an image was created. Of course, a review of this kind takes time, but it is worthwhile if the image in question will be playing a central role in your own infrastructure. Examples of this would be, for example, basic images for a Java application server or a preconfigured CMS in a container.
Official Images
The name of the
...Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
 
            
		





 
         
         
        