back to article Docker lets security bug sniffer dogs off the leash at container images

Docker has hit upon an idea that perhaps other platforms could potentially incorporate: scanning software components for publicly known vulnerabilities prior to deployment. Today, the software container biz will announce Docker Security Scanning, which scours private repositories in the Docker Cloud for recognized security …

  1. Robert Helpmann??
    Childcatcher

    Security for Developers

    The developer gets an alert that there is a security flaw in the code that needs to be rectified. The developer then checks a few boxes and deploys as is, regardless of the warning. There will be scant uptake by devs as this will be perceived as an annoying additional step in the development process.

    1. keith_w

      Re: Security for Developers

      And when some hack pwns your code, and docker says, "well we warned you" who's neck is going to be on the line?

      1. Santa from Exeter

        Re: Security for Developers

        IT Ops of course. Once the developer has pushed it they'll be chasing the latest shiny bauble and will have lost all interest.

    2. JLV

      Re: Security for Developers

      You know, it'd be nice if you didn't think all devs were idiots. I respect smart sysadmins and I find I learn a lot from them. And, though I have occasionaly seen incompetent ones, I would find it foolish to generalize against the profession.

      We kinda depend on each other, so no need for the nastyness.

      Me think there is a world of benefits from this type of idea. If you are gluing systems together, whether via Docker, VMs or package installers, that means you have atomic units of code that are versioned and IDed in repos. If versions subsequently are shown to have bugs, then, yes it'd be nice to use computer brainpower to flag it. And I don't think it's that big of a hassle to bump up versions for a good cause (rather than maniacally chasing latest across the board for no clear reason).

  2. Anonymous Coward
    Anonymous Coward

    If they pass the bug scans, IT ops can deploy the images to production systems as containers.

    Not a bad start.

    It would be better if it periodically re-scanned all the deployed images, and if a vulnerability came to like, alerted you to where these are running in your infrastructure.

    1. Anonymous Coward
      Anonymous Coward

      Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.

      I regret that I'm allowed only one upvote. Best use for a spider and closes first design flow in Docker.

    2. Lusty

      Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.

      @AC how long do you expect a container to run for? Why would I periodically rescan something designed from the ground up to redeploy repeatedly. Scanning has a performance impact, deploying from fresh does not. This technology is akin to an Exchange server which handles one email but we start up 2000 of them. The intention isn't really to leave it running long enough to be problematic.

      1. MotionCompensation

        Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.

        Why scan 2.000 times? If nothing has changed, just store the BOM in a database and inform me which containers are impacted when a new vulnerability is discovered, based on the information in the database.

      2. Anonymous Coward
        Anonymous Coward

        Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.

        > @AC how long do you expect a container to run for? Why would I periodically rescan something designed from the ground up to redeploy repeatedly.

        Who knows - it could be running for months. Not everybody eats the agile/devops daily release mantra.

        But the point is, it's not even necessary to scan every container! Rather, you scan the master image which it was spawned from.

        Hence if you have 1000 containers running from the same image, you only need to scan one; and the scanning should take place on your repository, not the production servers, so has no service impact.

        All you need to do is to track which containers were spawned from which images. If the master image is no longer being used by any running containers, then it can be garbage-collected anyway.

    3. Adam 52 Silver badge

      Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.

      We do this now. But we deploy the known vulnerable containers anyway - it's just too hard to patch everything and retest.

      We do try to patch important stuff. So, for example, a vulnerability in tiff parsing we'd let through because we never parse tiffs in production. There's risk here of course, but it's part of using Docker in a microservice environment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022