Container security is getting some attention, particularly in light of the recent Docker Hub security breach.
Security is always an issue, and using Docker adds some complexity. There are a lot of points where Docker images and containers could be attacked, including, but not limited to:
- Container application code security vulnerabilities
- 3rd party image comprimises
- Image comprimises at the image registry level (e.g. images being replaced or modified)
Here are a few quick security tips for container security:
- Avoid having to provision and manage your own compute layer. e.g. If you are using AWS use Fargate rather than using ECS or managing own docker EC2 host. This way you don’t have to manage the underlying compute layer and you are thereby removing some attack vectors.
Scan images for security vulnerability and malicious code in the registry prior to them executing
Re-scan images after each change
- Review the Dockerfiles for base images (though there is no guarantee that the Dockerfile was the one used to generate the image)
- Check container registry permissions and restrict access to ensure malicious attackers don’t have access