Docker Containers Get Security, Performance Boost
As the reality of enterprise production environments catches up with the hype over Docker application containers, vendors have been plugging security holes while attempting to expand flexibility for container deployments.
Of particular concern is the security of container images. For example, a recent study found that more than 30 percent of images in Docker Hub, the central repository for Docker developers to deploy application containers, were found to include "images highly susceptible to a variety of security attacks," including Heartbleed and Shellshock, according to a recent study by BanyanOps.
Responding to lingering concerns about container security, open source leader Red Hat (NYSE: RHT) said Tuesday (Oct. 20) it is teaming with Black Duck Software, which specializes in securing open source software, to ensure application containers are free of "known" vulnerabilities.
Separately, Java runtime specialist Azul Systems said this week it was adding Docker support to the latest version of its Java virtual machine dubbed Zing. Along with boosting the performance of Apache Cassandra database manager, Azul said the latest Zing release also makes images available on Red Hat Enterprise Linux as well as Amazon Web Services (AWS).
The Red Hat-Black Duck collaboration on container security focuses on establishing a trusted model for delivery application containers. The model would verify that containers are secure and include only certified content.
The partners said they would integrate container scanning and security software from Black Duck, Burlington, Mass., designed to detect vulnerabilities within Red Hat's OpenShift platform-as-a-service. The container security service would provide reports on potential threats found in the OpenShift registry of container images.
OpenShift is a container application platform based on Docker-formatted Linux containers, Kubernetes orchestration and Red Hat Enterprise Linux. Among other data, Black Duck's KnowledgeBase tool contains data on more than 100,000 known open source vulnerabilities, the partners stressed.
Among the goals of the collaboration is "helping to make containers safe for enterprise use," Black Duck CEO Lou Shipley, noted in a statement. Another goal is securing "code across the entire lifecycle of a containerized application, from development to management," Red Hat added.
Meanwhile, Azul said Docker support included in the 15.09 release of its Zing Java VM combines its pause-less operation for Java-based applications with Docker's portability and deployment flexibility. Azul, Sunnyvale, Calif., also said images would be available on AWS (NASDAQ:AMZN) integrating the latest version of Zing with the Amazon and Red Hat Enterprise versions of Linux along with the Ubuntu operating system.
As application containers begin to deliver more enterprise micro-services, initial concerns about isolating different applications have expanded to include security from development to deployment. Docker stresses key management and other approaches to security containers and their content.
As the recent BanyanOps security study of container vulnerabilities noted, "images should be scanned for security vulnerabilities, and selectively marked for rebuild depending on the relevance and severity of the vulnerabilities." Concluded the study: "These processes need to be efficiently integrated into a continuous deployment framework to realize the full benefits of containers while simultaneously maintaining good security practices."
