December 28, 2016 | Written by: Ralph Bateman and Marisa Lopez de Silanes
Categorized: Compute Infrastructure | How-tos
Share this post:
As of May 23rd IBM Bluemix Container Service now provides a native Kubernetes operations experience while removing the burden of maintaining master nodes. Kubernetes itself is based on the Docker engine for managing software images and instantiating containers. Get the details.
Vulnerability Advisor (VA) is a component in the IBM Bluemix Container Service. It’s a security management tool that you can use to identify and manage vulnerabilities and configuration best practices for Docker images and Docker instances. It’s also an audit tool to set, enforce, and monitor security policies for Docker images and Docker instances.
VA periodically scans Docker images in the IBM Containers private registry and active Docker container instances for security vulnerabilities and weaknesses, and reports on them. It provides information about security best practices that you can adopt to strengthen your infrastructure. You can use VA to configure policies and to highlight violations in those policies.
Why secure a Docker image or a Docker instance?
System and application vulnerabilities are threats that can appear suddenly and enable hackers to maliciously attack you. When you Docker-ize an application to run in a container, the Docker image and the Docker instances that are based on that image are the cloud resources that you must keep secure.
Why use Vulnerability Advisor?
VA can be an important part of your cloud computing strategy.
It can help secure your cloud infrastructure when you’re running applications in the IBM Containers service in Bluemix. Use VA to help identify system and application vulnerabilities in your images and containers, and to mitigate security risks in your cloud infrastructure.
VA offers auditors, DevOps and developers the functionality to enforce security policies, and manage and monitor the security of Docker images and Docker instances in Bluemix.
It also scans Docker images and Docker instances directly from the source for each platform — for any vulnerability that is listed — includes direct links to each security notice so you can understand root causes and mitigation actions, and offers corrective actions as provided by the platform.
See the following table:
In addition, VA checks applications such as Apache, NGINX, and MySQL, and configuration settings (for example, whether SSH is enabled) and provides recommendations on how to make them more secure.
In VA, you can also see the total number of instances that are running based on an image, see the list of instances, and link to the instance’s individual VA reports.
How to get started securing Docker images and running Docker instances that are available in Bluemix
To get started with VA in Bluemix, consider the following information:
Adopt the multi-org infrastructure pattern when you design your Bluemix account. Organizations provide the first level of isolation and abstraction that you can use to control and define what can be done and by whom. You can design each organization around the different lines of business (LOB), the delivery phases, the roles of the users, specific projects, or a combination of these components. Each organization has its own set of cloud resources and you can configure different policies per organization. For more information, see Managing organizations and spaces.
Configure different VA policies for Docker images per organization. Each organization has its own private Docker registry, and stores copies of Docker images that are to be used within that organization. The VA policies that you configure for an organization are enforced on all the images that are stored in that private registry. For example, you can configure a policy in the Development organization that allows images that have SSH enabled to be available for deployment. In parallel, you can configure the Stage organization to enforce a different policy for SSH, that is, all images in the Stage organization cannot be deployed if SSH is enabled. You can enforce different security policies for the same images based on the mission of the organization where they are hosted. For more information, see Reviewing image vulnerability policies.
Associate with each image the name and email of the person that is responsible in your company for maintaining that image. When you build a Docker image, you can use a Dockerfile to create a new image or you can update an existing one and commit the changes into a new image.
Regardless of the method that you use, you can use the MAINTAINER field in a Dockerfile or the -a option to commit the image by using the docker commit command, to associate the author or maintainer to an image. For example, you can use the following format to capture this information:
Maria Lopez email@example.com
Note: If you need to check who is the author or maintainer of the image, you can run the docker inspect command and look for the “author” field.
Use VA reports to find out about known or new vulnerabilities in your Docker images and in your running containers. An image that is only stored in your cloud infrastructure is not a hazard to your cloud environment. However, as soon as that image is deployed into the cloud and the service that is providing is available to the external world, your cloud environment is at risk of security threats if the image becomes vulnerable or if you deployed the image with known vulnerabilities.
When new vulnerabilities are reported for an image, any running container that is based on that image is a potential risk to your overall cloud security. Active containers will not be stopped. However, you’re responsible for maintaining those images secured.
You can use VA to monitor Docker images and running containers, and identify known or new vulnerabilities. You can update the images that are vulnerable by applying the corresponding corrective actions, and then, you can push new versions into the private registry. For active containers, for example, you can update the base image and then use your DevOps pipeline to deploy the containers based on the new image that has corrected all known vulnerabilities. For more information, see Reviewing image vulnerabilities and Reviewing container vulnerabilities.
In VA, you can also see the total number of instances that are running based on an image, see the list of instances, and link to the instance’s individual VA reports. You can use this feature of VA to quickly identify in Bluemix the instances that are vulnerable in your cloud environment when an image becomes vulnerable after deployment. This feature helps you mitigate risk in your cloud environment.
Use VA reports to discover container and application configuration best practices for a Docker image. The VA report for an image also provides information about security best practices that you can adopt to strengthen that image in your cloud environment. For example, it reports on insecure default values in an application configuration file. Adoption of these practices is optional.
How to use VA to secure Docker images and Docker instances
When you define your cloud strategy, there are different roles in an organization, such as cloud security specialist, cloud infrastructure manager, DevOps, and developer. Each role has different requirements when using the cloud environment, and requires different tools and capabilities to fulfill their jobs successfully.
In Bluemix, there are different roles that you can assign to your cloud members. The following table shows the relation between Bluemix roles and cloud roles that are relevant when you use VA:
|Cloud security specialist
|Cloud infrastructure manager
The following figure shows the tasks that each cloud role does when working with VA in Bluemix:
For example, as a security specialist, you can use VA to monitor the overall security status of a Bluemix organization, check all images and running instances for known vulnerabilities, and validate that policies are being enforced.
As a DevOps person, you can use VA to configure the policies that define how secure you want to make those images and instances. You determine when an image is safe to deploy or you can block images from deployment. You can monitor the status of images and the status of instances running in Bluemix.
As a developer, you can see which vulnerabilities need corrective actions, which best practices are recommended, and the overall status of an image per the policies set for your organization.
VA provides your organization with the capability to monitor security status of Docker images and instances per market input, as well as configuration best practices. VA also gives you the ability to manage and enforce security on images in the cloud.
IBM Containers Launch in London
Vulnerability Advisor product documentation
Verify your containers are secure with Vulnerability Advisor
Is your Docker container secure? Ask Vulnerability Advisor!
Identifying insecure configurations with IBM Vulnerability Advisor