Compute Infrastructure

Securing Docker containers with Vulnerability Advisor in Bluemix

Vulnerability Advisor (VA) is a component in the IBM Bluemix Container Service. It’s a security management tool that you can use to identify and manage vulnerabilities and configuration best practices for Docker images and Docker instances. It’s also an audit tool to set, enforce, and monitor security policies for Docker images and Docker instances.

Securing Docker images and Docker containers

VA periodically scans Docker images in the IBM Containers private registry and active Docker container instances for security vulnerabilities and weaknesses, and reports on them. It provides information about security best practices that you can adopt to strengthen your infrastructure. You can use VA to configure policies and to highlight violations in those policies.

Why secure a Docker image or a Docker instance?

System and application vulnerabilities are threats that can appear suddenly and enable hackers to maliciously attack you. When you Docker-ize an application to run in a container, the Docker image and the Docker instances that are based on that image are the cloud resources that you must keep secure.

Why use Vulnerability Advisor?

VA can be an important part of your cloud computing strategy.

It can help secure your cloud infrastructure when you’re running applications in the IBM Containers service in Bluemix. Use VA to help identify system and application vulnerabilities in your images and containers, and to mitigate security risks in your cloud infrastructure.

VA offers auditors, DevOps and developers the functionality to enforce security policies, and manage and monitor the security of Docker images and Docker instances in Bluemix.

It also scans Docker images and Docker instances directly from the source for each platform — for any vulnerability that is listed — includes direct links to each security notice so you can understand root causes and mitigation actions, and offers corrective actions as provided by the platform.

See the following table:

Platform URL
CentOS https://lists.centos.org/pipermail/centos-announce/
Debian https://lists.debian.org/debian-security-announce/
RedHat https://access.redhat.com/security/security-updates/#/
Suse http://lists.opensuse.org/opensuse-security-announce/
Ubuntu https://lists.ubuntu.com/archives/ubuntu-security-announce/

In addition, VA checks applications such as Apache, NGINX, and MySQL, and configuration settings (for example, whether SSH is enabled) and provides recommendations on how to make them more secure.

In VA, you can also see the total number of instances that are running based on an image, see the list of instances, and link to the instance’s individual VA reports.

How to get started securing Docker images and running Docker instances that are available in Bluemix

To get started with VA in Bluemix, consider the following information:

Adopt the multi-org infrastructure pattern when you design your Bluemix account. Organizations provide the first level of isolation and abstraction that you can use to control and define what can be done and by whom. You can design each organization around the different lines of business (LOB), the delivery phases, the roles of the users, specific projects, or a combination of these components. Each organization has its own set of cloud resources and you can configure different policies per organization. For more information, see Managing organizations and spaces.

Configure different VA policies for Docker images per organization. Each organization has its own private Docker registry, and stores copies of Docker images that are to be used within that organization. The VA policies that you configure for an organization are enforced on all the images that are stored in that private registry. For example, you can configure a policy in the Development organization that allows images that have SSH enabled to be available for deployment. In parallel, you can configure the Stage organization to enforce a different policy for SSH, that is, all images in the Stage organization cannot be deployed if SSH is enabled. You can enforce different security policies for the same images based on the mission of the organization where they are hosted. For more information, see Reviewing image vulnerability policies.

Associate with each image the name and email of the person that is responsible in your company for maintaining that image. When you build a Docker image, you can use a Dockerfile to create a new image or you can update an existing one and commit the changes into a new image.

Regardless of the method that you use, you can use the MAINTAINER field in a Dockerfile or the -a option to commit the image by using the docker commit command, to associate the author or maintainer to an image. For example, you can use the following format to capture this information: Maria Lopez maria.lopez@company.com

Note: If you need to check who is the author or maintainer of the image, you can run the docker inspect command and look for the “author” field.

Use VA reports to find out about known or new vulnerabilities in your Docker images and in your running containers. An image that is only stored in your cloud infrastructure is not a hazard to your cloud environment. However, as soon as that image is deployed into the cloud and the service that is providing is available to the external world, your cloud environment is at risk of security threats if the image becomes vulnerable or if you deployed the image with known vulnerabilities.

When new vulnerabilities are reported for an image, any running container that is based on that image is a potential risk to your overall cloud security. Active containers will not be stopped. However, you’re responsible for maintaining those images secured.

You can use VA to monitor Docker images and running containers, and identify known or new vulnerabilities. You can update the images that are vulnerable by applying the corresponding corrective actions, and then, you can push new versions into the private registry. For active containers, for example, you can update the base image and then use your DevOps pipeline to deploy the containers based on the new image that has corrected all known vulnerabilities. For more information, see Reviewing image vulnerabilities and Reviewing container vulnerabilities.

In VA, you can also see the total number of instances that are running based on an image, see the list of instances, and link to the instance’s individual VA reports. You can use this feature of VA to quickly identify in Bluemix the instances that are vulnerable in your cloud environment when an image becomes vulnerable after deployment. This feature helps you mitigate risk in your cloud environment.

Use VA reports to discover container and application configuration best practices for a Docker image. The VA report for an image also provides information about security best practices that you can adopt to strengthen that image in your cloud environment. For example, it reports on insecure default values in an application configuration file. Adoption of these practices is optional.

How to use VA to secure Docker images and Docker instances

When you define your cloud strategy, there are different roles in an organization, such as cloud security specialist, cloud infrastructure manager, DevOps, and developer. Each role has different requirements when using the cloud environment, and requires different tools and capabilities to fulfill their jobs successfully.

In Bluemix, there are different roles that you can assign to your cloud members. The following table shows the relation between Bluemix roles and cloud roles that are relevant when you use VA:

Cloud roles Bluemix roles
Cloud security specialist Org manager
Cloud infrastructure manager Org manager
DevOps Org manager
Developer Developer

 

The following figure shows the tasks that each cloud role does when working with VA in Bluemix:

Roles tasks

For example, as a security specialist, you can use VA to monitor the overall security status of a Bluemix organization, check all images and running instances for known vulnerabilities, and validate that policies are being enforced.

Security specialist example

As a DevOps person, you can use VA to configure the policies that define how secure you want to make those images and instances. You determine when an image is safe to deploy or you can block images from deployment. You can monitor the status of images and the status of instances running in Bluemix.

DevOps example

As a developer, you can see which vulnerabilities need corrective actions, which best practices are recommended, and the overall status of an image per the policies set for your organization.

Summary

VA provides your organization with the capability to monitor security status of Docker images and instances per market input, as well as configuration best practices. VA also gives you the ability to manage and enforce security on images in the cloud.

Related information

IBM Containers Launch in London
Vulnerability Advisor product documentation
Verify your containers are secure with Vulnerability Advisor
Is your Docker container secure? Ask Vulnerability Advisor!
Identifying insecure configurations with IBM Vulnerability Advisor

Share this post:

Share on LinkedIn

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Compute Infrastructure Stories

The business of bare metal is on the rise

It’s no secret that cloud isn’t going anywhere—but that doesn’t mean the landscape isn’t changing. As cloud providers hurry to deliver bare metal to their customers, will analysts accept bare metal into the fold?

Retirement of Beta Services – Virtual Servers, Block Storage, Network Security Groups

With yesterday’s introduction of infrastructure services now available to purchase in IBM Bluemix, effective October 25, 2016, we are retiring the following Beta services: Bluemix Virtual Servers, Block Storage, and Network Security Groups.

Introducing the Bluemix Developer Console

We just introduced The Bluemix Developer Console. Extending the current Bluemix Mobile Dashboard, this new experience goes beyond mobile and introduces new tools for quickly creating Cloud Native applications across web, mobile and backend. They aim to greatly cut down on development time by generating application starters with all the necessary boilerplate, build and configuration code, so that developers can start coding business logic faster.