Container Security: 5 Best Practices for Building with Docker
In February 2020, the FBI issued a powerful warning to the public that financial loss due to cybercrime has grown to over $3.5 billion a year. With this in mind, as the world forges on toward an ever increasingly complex digital society, the need for security becomes increasingly important.
Docker Hub and Docker Desktop have become essential tools for app developers all around the world who are creating the apps of our future — one container at a time. But the sensitive nature of having end-user apps running on the Docker Hub platform makes these tools prime targets for hackers.
In a recent survey conducted by StackRox, 90% of respondents reported having security issues when deploying containers in their app development. Nearly half of these incidents directly resulted in the organization delaying or halting their app development workflow. Container security is a growing concern, and the best place to start addressing this concern is by following security best practices when working with Docker containers. Do you know how to secure your containers and protect your project data from theft and manipulation?
Read on for five best practices to follow with your projects to decrease your chances of being the next victim of cybercrime.
Five Best Practices for Container Security
1. Always Update
Recently, software updates have received a bad name, even leading some IT professionals to shy away from installing an update out of fear that it may do more harm than good.
Docker runs most commands at the root level, so once an intruder has gained root access, they can easily inject a Docker shell containing malicious code into the container. This means that if a container is compromised, the hackers will easily gain control over all functions within the container. In other words, there is no such thing as a limited breach of container security. If you have not done so already, consider upgrading to Docker Enterprise Edition, which offers improved security features.
Each and every update of Docker contains essential security patches to protect the container, the stack and the host. Don't underestimate their importance. Each patch represents a known security vulnerability that — if not patched — leaves the door wide open to potential intruders.
2. Limit Capabilities and Privileges
The catch-22 of software is that the higher the security, the lower the functionality, which can present challenges when developing apps on a deadline. However, most capabilities and commands are not needed for your individual purposes. Leaving unnecessary capabilities enabled in your app can increase the risk of an intruder using them to harm your system. Therefore, removing all capabilities (--cap-drop=ALL) and then adding them back in (--cap-add) if/when needed is a safer practice. And when a capability is no longer needed, remove it again.
Privilege escalation attacks are a favorite of hackers since they are often an easy way to gain administrative-level control of a container. You could easily limit a hacker by disabling the container processes from gaining new privileges with the command --security-opt=“no-new-privileges:true”.
Finally, don't forget to disable or remove SETUID and SETGID binaries from images (unless you need them). This will help protect the container from buffer overruns and privilege escalation attacks over these paths.
3. Continue Security Education
The fight against cybercrime never ends. For every white hat hacker who uses their computer skills ethically to secure a system, there is a black hat hacker taking up the challenge of finding another way around the security.
Think of IT training for your software engineers as insurance — you’re hoping for the best, but preparing for the worst. Continued education for your development team is an investment in the future of your project, team and organization as a whole.
Don’t let your organization be included in the FBI's list of $3.5 billion dollars' worth of cybercrime victims this year. The more your employees know about security, the more likely your containers will stay safe, and hackers will pass you up in search of less protected prey.
4. Only Use Trusted Images
Like applications, images are available online in abundance. But don't get sloppy with your Docker container security by assuming an image can be trusted. Third-party registries often lack security control policies and may host uploads containing malware that can infect your container and instantly give hackers remote access. Instead, only use images from trusted sources that have passed your own security scan.
Whenever possible, use trusted images directly from Docker Hub. With over 100,000 container images available, you find any image you need through a simple search. If you cannot find what you need, ask Docker or Docker’s community of developers for assistance in finding a trusted source.
When in doubt, keep your images as small as possible and only use the container components you need. Keeping images small will help keep them secure and run your container more efficiently. Finally, always make sure to scan images for malicious code before building a container.
5. Monitor Network APIs
It is also important to actively monitor your APIs and network activity for anything out of the ordinary. Your containers communicate through these protocols and networks, representing a major vulnerability in your system.
There are dozens of monitoring tools you can utilize not only to gain insights into your container use and functionality, but also to look for potential security issues as well. A poorly configured API or weak network security are often reported by security administrators as the point of intrusion into their container stacks.
Check your Docker container logs regularly and investigate any anomalies. Just like with medical science, early detection of a virus or threat to your system's healthy operation can make all the difference in preventing something dire from happening later on.
Safe and Secure Applications
When used for the purpose it was created, Docker is a useful tool for app development. But like all powerful tools, it can be use maliciously if it falls into the wrong hands. Make container security a priority for your organization by empowering yourself and your development team with up-to-date IT security training.