A core tenet of software supply chain security is this: know what the code package is doing and make sure it came from a trusted source before incorporating the component into a software project. That same mindset is necessary for container images downloaded from public repositories, as well.
Threat analysis firm Prevasio scanned the entire DockerHub and found that 51 percent of all container images had at least one critical vulnerability and 13 percent had at least one high-severity vulnerability. Just 4 percent of the images had at least one moderate-severity vulnerability. In the same analysis, Prevasio researchers identified 6,433 images that were malicious or potentially harmful.
If a company’s developer takes a shortcut by fetching a pre-built image, instead of composing a new image from scratch, there is a viable risk that such pre-built image might come pre-trojanised,” the Prevasio researchers warned. “If such image ends up in production, the attackers may potentially be able to access such containerized applications remotely via a backdoor.
Just for context, the number of malicious or potentially harmful images accounted for just 0.16 percent of the entire Docker Hub registry.
The vulnerabilities in the images came about because the containers relied on outdated software components. Container images contain the application, the underlying operating system elements, and supporting frameworks. The point of using containers is so that developers and administrators don’t have to manage all the individual components required to run the application. “The design and security practices of the team creating the original container image have a direct impact on the security of the resultant system,” said Tim Mackey, Principal Security Strategist, Synopsys CyRC.
It is far quicker (and easier to create a pre-built Docker image containing an instance of MySQL than manually installing and configuring the database server. However, if publishers aren’t keeping the images up-to-date with the most recent versions of the components, then those container images become part of the problem. Publishers need to be regularly updating containers and administrators should be regularly scanning the images for vulnerabilities.