Container vendor Docker has announced Docker Security Scanning is now live. This is an opt-in service for Docker Cloud private plans that provides a security assessment of the software in contain images.
As part of the announcement Nathan McCauley, Director of Security at Docker said: “We’ve made it our goal to secure the global software supply chain from development, test to production. As with all of Docker’s tooling, Docker Security Scanning works as an integrated component without any disruption to developer productivity.
“In fact, Docker Security Scanning enables developers to accelerate their workflows while providing greater visibility into the Docker images they choose to run in their environment. In turn, with usable security capabilities and granular control, IT operations is able to flexibly configure the security policies needed to safeguard their infrastructure.”
How does it work?
Docker Security Scanning creates a detailed security profile of each container. This is presented as a Bill of Materials (BoM) giving the details of what is in the container. This is delivers as a snapshot which details each component as well as its security profile. The advantage of this is that it can be used to continuously monitor master containers to ensure that they have not been tampered with. What this means for users and those who want to use containers as part of their self-service approach is that master containers can now be fully trusted.
There is another advantage here for software and solution vendors. Being able to configure their solution properly inside a container and then provide that container to customers, partners and even cloud service providers will reduce support calls over misconfigured software. Using the Docker Security Scanning tools customers will be able to compare the digital signature of the container against that on a vendors site to ensure that it hasn’t been altered.
A significant boost for compliance
One area where Docker believes this will have a significant bonus is in compliance. Vendors and their partners can configure a container to meet the requirements of regulators. When the container is downloaded and used the IT department will be able to save substantial time retesting and approving the container. Instead, they will be able to match the signature of the container to that provided in the providers documentation and pass both to the company audit team.
There is a caveat here. It requires that there is a process that can be shown to meet compliance standards and that it has been effectively applied to the container. End-user organisations are still required to do their due diligence but this has the capability to speed up the acceptance of containers substantially. This is essential if containers are to be rapidly deployed into secure environments.
Where the master container has been configured internally, IT will now be able to get a sign-off from the compliance team that they can deploy it on-demand. As companies move to a more agile environment where applications need to scale based on demand, being able to drop in containers that are compliance ready means that a wider set of software can be more quickly deployed.
There has been a lot of discussion lately about containers and whether or not they are secure and can be trusted. The primary concern was in how to prove the container hadn’t been tampered with by hackers. The Docker Security Scanning tool should eliminate that concern by allowing end-users to compare the container signature with that in the Bill of Materials.
This raises an interesting question as to what next. If a component is later identified as being insecure and needs replacing, the BoM should make it possible to identify every container in which that component exists. If the container is still unaltered then it can be replaced. If the container is in production and the software has been customised then alerts and updates can be sent to the end-user allowing them to decide how to patch this.
While the first distribution will be to Docker Cloud customers with a private repo plan, there is clear scope for widening this. It will be interesting to see how soon after this ships in Q3 that Docker move to make it available to all their cloud partners.