Blog

Visit often for current news, announcements, and insights.

Docker-Mania: Trust but Verify

Pavel Emelyanov

Technology Corner

AppDockeropen sourceSecurity

This is my first post for the BIS-Expert blog, so I should say a couple of words about myself: I’m a chief architect at Virtuozzo, and I often face security problems when using virtual environments and containers.

Today I want to discuss the wildly popular Docker solutions. Application container systems tend to attract a user’s interest, because they can run Docker containers in any environment. They can launch a ready container with optimized software in any new environment—on a physical or virtual machine, a server, or a cloud. The application will work within whichever environment it’s placed. Considering the global trend of virtualization, and the success of the technology, Docker solutions have been building momentum in the market, especially over the past year.

But here’s the problem: There’s a huge hole in the Docker ecosystem, which is mainly caused by a “baby disease” of Docker’s technology. Users download unsigned and unverified images from GitHub, Quay, or some other resource. But there is no verification process when downloading, so users don’t know where the files come from. Nobody guarantees site authenticity, so any user can become a victim of resource phishing or a packet fraud. And as a result, there is no way to tell what, exactly, the user launched.

Docker developers have acknowledged this problem. And they’re working to correct the bug as soon as possible. In addition, associations like Open Container Initiative (OCI) are developing standards to help address security problems and help find solutions. (I know this, because I’m a member of OCI board). In particular, OCI is developing a signature and origin verification procedure into the containers standard. Until those processes are finished, however, there’s just no protection.

Trojans are one example of security threats that users could face when downloading unverified software. They might think they are downloading nginx, but instead get a spam-bot, key logger, or any other surprise as a bundle. Many experts are paying attention to this problem; however, they haven’t seen any real-word incidents just yet. Perhaps malefactors don’t think the Docker niche is economically attractive. Or maybe, existing exploits are still not recognized nor researched. But that doesn’t mean that security breaches won’t happen. The threat is very real.

What can you do to protect yourself? If you are considering using containers, carefully verify the origin and the image itself. Don’t be a victim of new technology’s growing pains.

Editor’s Note: This post was originally published by the Business Information Security Association blog.

Back