CoreOS Targets Container Image Security
Application container pioneers continue to roll out new security features as micro-services shift to primetime. The latest comes from upstart CoreOS, which introduced a new container image analyzer designed to provide developers with greater visibility into vulnerabilities that could undermine container security.
San Francisco-based CoreOS, which launched an early version of its image security tool dubbed "Clair" late last year, released a 1.0 version on March 18 that it said is ready for production workloads. The tool inspects container images for known security flaws and specifically targets developers building new services so they can scan containers for threats and vulnerabilities before deployment.
CoreOS added that the production version of Clair also allows developers to identify security fixes along while scanning for vulnerabilities. The company noted that many container images are based on older Linux distributions, providing "a large attack surface with many vulnerabilities."
Added the company in a blog post: "These systems and their packages can be updated, and even more, we want to encourage users to take action and update their container images."
According to an analysis, more than 70 percent of detected container vulnerabilities can be fixed by updating the installed packages. Further, software updates alone can address more than 80 percent of "critical" container vulnerabilities, CoreOS said, while updates to installed software boosts overall infrastructure security.
Among the security vulnerabilities is the fact that container images are seldom updated. That, the company stressed, "is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues…."
The production version of the container image analyzer addresses database interactions, which turn out to be among the largest bottlenecks during security scans. CoreOS said the update includes an interface intended to abstract database operations. Beginning with an implementation for Postgres, the open source database manager, the company claimed it was able to boost API responses in production from 30 seconds to 30 milliseconds.
As the security tool's stability improved "for most general use cases," CoreOS said it also sought to boost flexibility so users could tune the tool in production settings. Those extensions included: gathering vulnerability data from public sources: indexing container images based on specific features; expanding the number of image formats to include Docker and Cisco Application-Centric Infrastructure formats; and notifications when a new vulnerability or changes to an existing vulnerability have been detected.
CoreOS also said it extended storage for databases of vulnerabilities.
The image analyzer is the latest addition to the container security toolbox that has been expanding as micro-services begin to ramp up. Last month, CoreOS and rival Docker both released "production ready" versions of their container platforms with a heavy emphasis on security. The "stable" 1.0 version of the CoreOS container runtime known as rkt incorporates security features designed to improve container isolation via kernel-based virtual machines along with integration of a "trusted platform module."