Our recent switch to Docker for our production environment has been a great success. We’re now able to confidently and swiftly deploy updates to our applications. The recent addition of Security Scanning is a great help in keeping our base images and the applications that extend from them secure.
Docker Repository Security Scanning is a recent feature added to the official Docker repository, Docker Hub. We enabled Repository Security Scanning as soon as it was available in the interests of helping to keeping our applications up to date. You can find out more about how it works by clicking here.
It's worth going back to a traditional environment to get a better picture of the benefits that Docker’s Security Scanning provides. In a traditional hosting environment you may have one big box or a base image (AMI, etc) that you once built and that you attempt to keep up to date. In the traditional environment it can become very hard to know the version of every single system component, perhaps one application on the server uses ImageMagick 6.8.9.8, perhaps another application on the server uses version 6.8.9.9.
Losing track of these small components is easy in a modern web application where there can be hundreds of dependencies from Gemfiles, Node modules and NuGet packages. Tools such as Bundler Audit can help to a certain extent but they often only go as far as the Gems themselves and not system level components.
Docker Security Scanning looks at the layers that are generated during the build process and peers inside the output of each to find components. The security scanning finds components based on file hashes (I’ve read), this makes it really good at identifying all sorts of components that you otherwise wouldn’t even know were being used. Identifying vulnerable components via hashes means the scanner is able to correctly identify the version of each component.
Vulnerabilities are linked to meaning we’re able to look into the actual attack vector to research its severity and whether it could apply to our application. Vulnerabilities are identified via lookups in the MITRE CVE database, an authoritative source for CVE notices.
Docker scans repositories when images are pushed up and upon detecting new vulnerabilities it will send a useful email that outlines the components that are vulnerable. This is a great feature since it frees us up from having to schedule in a regular look at system components and helps to make sure we catch vulnerabilities before they start to be used in attacks. It’s a proactive component in our toolbox that helps to ensure we’ve patched our applications before attacks become widespread, and it's all happening without us manually running scans.
Keeping system components up to date is important in a modern web application where files are being uploaded, images are being resized, external APIs are being interacted with and compiled components are used for various functions such as JSON parsing and JavaScript compilation. Any component along any step could be vulnerable, the recent ImageTragick vulnerability is an example of a vulnerability that could have gone unnoticed for a much longer period of time without the helpful email from Docker.
Components in a web application are just as important to keep up to date as the Frameworks and runtimes themselves - It may be just the web server that's exposed to the outside world but anything a web application ‘does’ could with the help of a vulnerable component lead to an attack.
At Ziontech we keep runtimes, frameworks, dependencies and system components up to date on all our modern web applications aswell as following best practices in our code and infrastructure configuration to help ensure we keep the websites we build as secure as possible.
If you’re looking for a web design company in the Yeovil, Somerset area that puts time and effort into the not just the initial development of web applications but the upkeep and maintenance needed to keep them running smoothly and securely then get in contact with us today.