Docker Security


As DevOps become more and more popular, fewer businesses can avoid the use of containers. Containers make deploying servers and services easier and more efficient. Today, one of the most popular container platforms is Docker, which eliminates the “works on my machine” problems that can occur when working on code with a team.

Why

People reading about Docker security can get the impression that Docker is completely insecure, and that is should not be used for production. Although there are several security issues relating to using containers, Docker, at least when it is properly used, provides a much safer and more efficient system than VMs (Virtual Machines) or bare metal. However users should still be aware of the potential security risks that can arise from using Docker containers. This Working Session will focus on the most common issues regarding Docker security, and techniques for properly securing container-based systems.

What

While there are several security issues which show up when reviewing Docker security, the following four are identified as the most important ones:

  • The intrinsic security of the kernel and its support for namespaces and groups
  • The attack surface of the Docker daemon
  • Loopholes in the container configuration profile, either by default, or when customized by users
  • The “hardening” security features of the kernel and how they interact with containers

Outcomes

The outcome of this Working Session will be a document which summarizes the most common security concerns when using Docker and practical advice on how to protect from them.

Synopsis and Takeaways

General Security recommendation should be addressed and links should be shared.

General Docker Security Considerations

  • Docker has a shared kernel with host
  • Do not run containers as privileged if not needed
  • Review of Dockerfiles
    • A user is added as which the application runs
    • Credentials in the Dockerfile
    • Exposing unnecessary ports
  • Patchmanagement
  • Limits
  • Secrets Management?
  • Tools
    • Scanning of images/containers for components with known vulnerabilities
    • Benchmark of a Dockerfile

Work in Progress: https://docs.google.com/a/owasp.org/document/d/1_71svrCpC40S30kj9j0Hb3RnXaVsz8koD4EbZuSo5HQ/edit?usp=sharing A Slack Channel will be created for further communication.

Who

  • Docker Security Experts
  • Docker users who wish to learn more

References

Working materials

Here are the current ‘work in progress’ materials for this session.

Content

Architectures based on microservices have different requirements on how applications are developed, deployed, and managed during their lifecycle. This means that security models that support them must change, as well. Security must be layered in a way that will address the complete infrastructure and will often combine different technologies to ensure each layer is adequately protected. Here, Docker simplifies the whole process and brings tangible benefits in terms of development and deployment but also in terms of security. By isolating themselves without the need for using resources and reducing the host´s surface area, containers give an additional layer of security. In cases where an attacker gains access to one of the containers, he should not have the ability to gain access to the host or other containers since the containers are not namespaced. However, if a user is root in the container, that user will be root on the host which results in a potential privilege escalation attack.

More information: Most common issues when using Docker

Related Working Session(s)



Back to list of all Working Sessions and Tracks

Edit this page here