I love containers. You love containers. We all love containers. But our love for them blinds to us to the fact that we often don’t really know what’s running within them. In 2019, Snyk, an open-source security company, found that the “top 10 most popular Docker images each contain at least 30 vulnerabilities.”
Ouch.
Snyk wasn’t talking about security problems with container technology itself. Those problems, like 2019’s runc security hole, the Docker and Kubernetes container runtime, do exist, and they’re serious. But far more common are insecure applications within containers.
Now, Snyk and Docker are partnering up to find and eliminate security problems in the Docker Official Images.
The 166 Docker Official Images are wildly popular with users. These range from popular open-source databases, PostgreSQL; to key-value store, Redis; to operating systems, Ubuntu Linux. More than 25% of all images downloaded from the Docker Hub come from this curated collection of Docker container images. These popular containerized building blocks are designed to provide a common starting point for cloud-native based programs and services.
Snyk adds security insight to Official Images. This makes vulnerability risk assessment part of the Official and Certified Images selection process. In short, you can now be reasonably sure that, when you download a containerized program from the Official Images collection, you’re getting software that’s free of any known security holes.
Snyk scanning is also integrated into the Docker Desktop and Docker Hub. With this, you can incorporate vulnerability assessment along each step of your own container development and deployment process. This streamlines your efforts to deploy secure applications. At Snyk’s virtual conference SnykCon 2020, Docker CEO Scott Johnston said: “Developers build from Docker’s Official Images because they want the assurance of knowing the images are up-to-date and are well maintained. With Snyk security insights for Docker Official Images, simplified workflows designed for developer-first security is now a foundational part of a developer’s toolbox to seamlessly create and ship more applications with confidence.”
Snyk CEO Peter McKay added: “While containers deliver scalability and agility, they create new security challenges that can’t be addressed with traditional solutions, especially ones that don’t naturally fit into the developer workflow. . . Recent Snyk research shows that only 41% of application development teams are scanning all of their containers for vulnerabilities. Embedding Snyk’s developer-first security into Docker images delivers robust, end-to-end security to millions of developers.”