Expert Reaction On Half Of All Docker Hub Images Have At Least One Critical Vulnerability


It has been reported that a new security analysis of 4 million container images hosted on the Docker Hub repository revealed that over half contained at least one critical vulnerability and thousands contained malware or potentially harmful applications.

Experts Comments

December 02, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Container images are a combination of an application with operating system elements and supporting frameworks. Development teams creating distributed systems following a microservice or cloud native philosophy will select third-party container images to perform one of two functions. Either the container image is used “as is” to provide a shared service, such as with a database, or will be embedded as a base image to create a new container image. In both situations, the design and security.....Read More
Container images are a combination of an application with operating system elements and supporting frameworks. Development teams creating distributed systems following a microservice or cloud native philosophy will select third-party container images to perform one of two functions. Either the container image is used “as is” to provide a shared service, such as with a database, or will be embedded as a base image to create a new container image. In both situations, the design and security practices of the team creating the original container image have a direct impact on the security of the resultant system. Put another way, do you trust that a third-party development team has followed security practices that are at least as stringent as those you expect your own team to follow? This is critical given that production operating systems should be hardened and have a minimal attack surface, and that container images typically have operating system components in them. When selecting an image from Docker Hub, a development team is implicitly stating that they trust the security practices of the author of that container image. Such implicit trust is risky from a security perspective, which is why many organisations are now creating hardened container images where the image hardening process is managed by a dedicated team skilled in operating system hardening which is separate from the core development team. These hardened images are then pushed to an internal registry and policies are defined that only allow images originating from hardened images in that internal registry to execute in a production cluster.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.