Overview of Containers
Docker is a tool that is designed to make the deployment, configuration, creation, and sharing of applications using containers. Containers allow developers or administrators the ability to package up an application or service with all the requirements and dependencies needed and share it with others or run it on one or more machines. This allows the developers and administrators to run the Docker containers on any machine regardless of any customized settings that the target machine might have that could differ from the machine used for writing and testing the code.
In many ways, Docker containers are similar to a virtual machine. In that aspect the application is performing operating-system-level virtualization. However, unlike a virtual machine, rather than creating an entire operating system, Docker allows applications to utilize the dependencies and Linux kernel of the host system. The exchange of resources from the host machine to the virtualization allows for significant performance boost and reduces the size of the applications.
Why are Companies Using Docker?
Docker containers are changing the application life cycle for many software developers and administrators. Developing applications in virtual environments and then using simple commands can be migrated to bare metal production environments. Docker simplifies the workflow of the development and deployment, but also provides performance and density benefits which are crucial to IT administrators.
Consider the scenario where a software development company needs to test software on 30 different machines. To run 30 virtual machines, you would need to boot and configure 30 machines, as well these virtual machines would need to meet the minimum requirements before booting. Assuming a virtual machine needs at least 256 Mb of RAM, and 7.5 GB of disk space you could easily exceed the limits of the host machine. Where as with Docker the engine behind the application would handle all resource needs and only allocate what is absolutely necessary. To add to that, in terms of scaling the container image one could spin up as many Docker containers as needed and it would take up 0 bytes to the host machine. The reason for this is Docker keeps track of all deltas and container images, and will use them as a platform to run the processes or services on top of.
Security Assessments of Docker Containers
Since Docker containers run very similar to virtual machines any applications such as the web application or external penetration testing would be the exact same. The real concern for security lies in the configuration of the Docker containers. There are multiple layers of segmentation that can be performed. You can segment from the network layer, and you can segment containers from other containers.
One addition that could be added to a Docker assessment is that ability to perform a white-box approach. With the ease of deployment, the customer could send us what is know as the Dockerfile or Compose file. This would allow testing engineers to spin up a fully functioning application or service to test. As well, the engineer would be able to look at any code and find insertion points or weaknesses more easily.
Products That will Automate the Security Check of Docker Containers
Many different software vendors or developers have been creating ways to automate the checking of Docker containers due to the increased popularity of the tool. Docker image scanning to detect known vulnerabilities, runtime security to identify and block threats on production, network security, compliance, audit and forensics are some of the areas where you can improve your security with the following Docker security tools. Here are just a few that are notable:
There are many other options out there, but this list should be enough to get you started down the right path.