Snyk sponsored this post.
Containers are the norm today for the development and deployment of both new and old applications. What isn’t always the norm though is built-in security for container developers.
There are many variables that organizations need to be aware of when it comes to container image security. It’s critical to understand what’s in the image, how it was created and who created it.
It’s important to scan containers for potential risks, but it’s even more important that developers understand what they can and should do with the results of a scan when it shows hundreds of vulnerabilities. The challenge of making container image security actionable and efficient for developers is one that requires people, process and technology.
Snyk research shows that 54% of developers currently do not test their container images during development.
In an effort to help organizations with all of these issues, Docker and Snyk have compiled insights and best practices into how organizations can improve container image security, in a new free guide titled, “Guide to Container Security for Development Teams.”
Snyk research shows that 54% of developers currently do not test their container images during development. There are a lot of different reasons why that’s the case, but the most obvious is that security testing during development hasn’t always been as easy as it should be. Thanks to a partnership between container pioneer Docker and Snyk, container security scanning can now be an integrated part of the development process.
The idea of scanning a container for potential vulnerabilities is not new, but on its own, is not enough either. Merely providing developers with a long list of detected vulnerabilities is not adequate for fixing issues inside containers. What is needed is an integrated process that can help reduce risks before a container is deployed.
Having security as part of an integrated container development process can help to accelerate overall development, reducing time that might be needed otherwise to fix issues after a container has been built. When container security is built into the development process, developers are able to ship faster and lighten the burden of monitoring in production.
Three Key Steps for Creating Secure Container Images
Scanning a container image after it has been built should not be the first security step for reducing potential risks. Scanning can and should be part of a larger process that is integrated into the development pipeline. There are three key steps that developers should consider when creating a secure container image.
At a high-level those steps are:
- Secure your code and its dependencies. Make use of tools like Snyk, to do software composition analysis (SCA), container security and static application security testing (SAST). By signing up for a free Snyk account, you can automatically find and fix vulnerabilities in Docker images and open source libraries.
- Build up with a minimal base image from a trusted source. Container images can come from anywhere, so be sure to pull from a trusted source, like Docker Hub. Choosing an image with a minimal operating system footprint can reduce the attack surface. Going a step further, one of the reasons Docker and Snyk have partnered is to enable you to go from advice to action. The integrated vulnerability scanning functionality in Docker Desktop can actually handle some of the work of base image selection for you.
- Manage all the layers in between the base image and your code. Customizing your images by starting with a minimal base and then adding your tools makes it very easy to remove these tools later, by simply taking them out of the Dockerfile. For example, a tool or library used in the building stage can be removed before the image reaches production. Scanning the middle layers is easily done with the Docker scan comment via the exclude-base option.
Within each of the three high-level steps for creating a secure container image there is the potential for vulnerabilities to exist. Vulnerabilities can (and often are) to be found in dependencies, as well as even minimal base images, across layers and in container configuration. Scanning for risks at each stage, not just at the end, is critical to achieving a more secure outcome.
There is a lot of nuance and detail into how each of the three high-level steps can be implemented that a short article can’t address. In an effort to help development teams, the new Docker and Snyk eGuide provides actionable information to help developers figure out what to fix, how to fix it in the context of a container image and Dockerfile, and where to focus efforts.
Improving container security is not a single step, nor does it require even a single tool. It’s an ongoing, multistep process that Docker and Snyk have detailed with best practices for implementation in the new free resource.
Feature image via Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.