Docker - Continuous Build Security Assessment

Docker

Continuous Build Security Assessment

Rocco Gagliardi
by Rocco Gagliardi
on May 04, 2017
time to read: 8 minutes

Docker: “Build, Ship, and Run …”, Continuously is implied. But the jump from Build to Ship looks pretty simple. Sure, at Docker they know it’s not so simple: before you can ship a container, some tests must be performed.

Docker – in general containerized software – claim to optimize the Continuous-Delivery/-Integration process (CD/CI), reducing deployment risks, managing the infrastructure as one additional piece of code (Infrastructure as Software).

To achieve the Continuous Delivery (CD) – where you build software that can be released to production at any time – you need a Continuous-Integration (CI) process – integrating, building, and testing code within the development environment – and a Deployment Pipeline (DP) – every change goes through the pipeline and is automatically applied into production, resulting in many deployments per day. Continuous Delivery (CI) just means that you are able to do frequent deployments but you may choose not to do it, usually because businesses stability.

With particular regard to Docker, what should be tested? Where? How? In this article we try to sketch a test strategy and list some tools.

Some Docker terms

Let’s briefly recall some Docker’s ecosystem terms:

Test Strategy

Once the main components of the Docker-family has been identified, we can think about how and where to perform some security tests.

The following table sketches our testing strategy:

Test Area Goal Tests When
Docker Host Assure the host running Docker process has been secured following best practices. Is the OS updated? Is the OS hardened? (CIS Benchmark) Is the OS exposure minimized? Integrate the results, no strictly correlated with the CI cycle.
Docker File Assure the container’s definition follows best practices. Is the source trusted? ( FROM: ) Is the environment minimized? ( RUN … ) Is the network exposure minimized? ( EXPOSE ) Is the volume exposure minimized? ( VOLUME )
Integrated in the CI cycle.
Docker Image Assure the image’s static safety. Is the image trusted? The image has known vulnerabilities? Integrated in the CI cycle.
Docker Container Assure the image’s dynamic safety. The container has known vulnerabilities? The container network exposure is minimized as in the Docker file? The container volume exposure is minimized as in the Docker file?
Integrated in the CI cycle.

Test Tools

In order to be Continuous, all the tests must be integrated in the different pipelines: no manual intervention should be required.

Following is a list of tools to look for:

Tool Test Area Method License
docker-bench-security Docker Host Runs the script in a container to obtain a report. Checks are based on the CIS Docker 1.6 Benchmark. Apache 2.0
OpenSCAP Docker Images + Docker Container Use the oscap-docker to scan images/container against the CVE or custom policy and get the report. GPLv3
Clair Docker Images + Docker Container Clair is an open source project for the static analysis of vulnerabilities in application containers. Used mostly via API, the tool get vulnerability from different sources, scans the images for the installed packages, and reports threats found. Clair is part of the CoreOS products family. Apache 2.0
Twistlock Docker Images
Docker Container
Packages
Uses NIST to find CVEs and the Docker CIS for vulnerability assessment.
Runtime defense (a specialized container deployed on each Docker Host) allows security monitoring and reaction.
Commercial
Aqua Security Docker Images + Docker Container + Packages It works pretty much in the same way as Twistlock does, using a central server and agent containers running in privileged mode on every Docker host. Scalock provides a comprehensive security solution for virtual containers by adding visibility and control to containerized environments, enabling organizations to scale-out without security limitations even on a very large scale. Commercial

Summary

Docker’s ecosystem is relative new and changing rapidly. Testing is just a small part of the big picture; many other factors must be considered in order to choose the right tool. The testing methodology and objective are clear; the integration in the CD/CI process depends on the customer’s architecture.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in network routing, firewalling and log management.

Links

You need support in such a project?

Our experts will get in contact with you!

×
SQLite forensic's notes

SQLite forensic's notes

Rocco Gagliardi

Microsoft365DSC

Microsoft365DSC

Rocco Gagliardi

Office 365 Teams Security

Office 365 Teams Security

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here