By Tim Clark
August 19, 2015
Seeking to attract security-conscious enterprises to use its containers, Docker has unveiled a new security feature designed to reassure users that hackers cannot mount an attack using bogus Docker containers. In May 2015, BanyanOps reported that in a sample of images in Official Repositories on Docker Hub, it found that more than 30% contain images that are highly susceptible to a variety of security attacks (e.g., shellshock, heartbleed, poodle, etc.).
The new content security features, called Docker Content Trust and implemented initially for containers in the public Docker Hub repository, utilize digital signatures and two cryptographic keys to sign containers for Docker containers signed by a creator can be validated as unaltered by potential users before downloading. The feature is included in the Docker Engine 1.8 release.
Docker Content Trust leverages The Update Framework or TUF, a flexible, secure framework for distributing software and software updates. The Docker Content Trust announcement coincides with Docker’s production release of Notary, a Docker feature announced June 22 to create a trusted, cross-platform system for content distribution.
“As organizations evolve from a monolithic software architecture to distributed applications, the secure distribution of software becomes increasingly difficult,” Diogo Mónica, security lead for Docker, said in a statement. “Docker has the unique opportunity to leapfrog the status quo and build a system that meets the strongest standard for software distribution. With Docker Content Trust, users have a solution that works across any infrastructure, offering security guarantees that were not previously available.”
CoreOS, which created and maintains a different type of container runtime called rkt, included a similar feature to validate its containers as unaltered when it announced and released rkt in December 2014.
To maintain usability for developers and boost adoption, Docker Content Trust is designed/implemented to work within a user’s existing workflow without requiring users to learn a new set of commands or security principles.
Docker Content Trust is a new opt-in feature of Docker Engine version 1.8.0 enabled by integrating Docker Engine and Notary, to create a trusted, cross-platform system for content distribution. Designed to be platform agnostic, Notary is an open source project developed by Docker to serve as “infrastructure plumbing” for secure and trusted content distribution.
An enterprise with its own private registry or third-party solutions can integrate with Notary to have its repositories integrate with Docker Content Trust.
Docker will sign Official Repos on Docker Hub to provide users with a trusted set of base images they can use to build distributed applications. When enabled, Docker Content Trust ensures that all operations using a remote registry enforce the signing and verification of images.
“Companies can now make sure that the images they pull down from the public repos are from the actual source/publisher and that they haven't been tampered with, said Amrit Williams, CTO at CloudPassage, whose flagship Halo security platform supports the Docker 1.6 security benchmarks.
Williams added: “This is a good step forward and an important part of improving the Docker supply chain, but it still doesn't address all of the security concerns of the containers or the Docker server itself. Administrators still must configure Docker servers securely (i.e. the CIS benchmarks) and ensure no vulnerabilities exist.”
Ben Bernstein, CEO at Docker security firm Twistlock, added: “Notary is a very fundamental and important platform capability. It was available on the Docker Experimental version for a while, and we made thorough tests to it in the past few weeks (with full cooperation from the Docker security team) and can say it is stable and written using the highest standards.”