Containers are a portable lightweight way to package your application with the underlying OS being a tiny image, but like anything with new innovation is also a external attack surface.
Using documentation from docker as reference in a Dockerfile listed below with annotations
FROM ubuntu/20.04 #image of the OS in this case we want a specific one
ENV DEV=/ops #setting environment with defined DEV with the ref as /ops
COPY network_scanner.py c:\ #copy of our app/script to a C: drive
RUN dir c:\ #start up the directory and navigate to the C: drive
So how do we look at containers for security? Container image scanning is a method of approach to understand that the underlying image that we might trust might have vulnerabilities that are exposed or known. Recently OpenSSL vulnerability is a prime example of why you should be proactively scanning images but also be aware of the landscape as security is evolving.
I’m taking the easy way on this but you can use this as open source tools in your tool set from Aqua Security simply enter the image in the search bar
So let’s do a search for ubuntu:20.04 and see what we find
This states we have 17 vulnerabilities that were found in terms of severity low so what’s next? Well the great thing is the context isn’t abstract but rather robust.
So navigating to the reference link we are presented with a nice UI as shown below to get more information.
https://avd.aquasec.com/nvd/2016/cve-2016-2781/
So we can gather more information that will not only potentially prevent us from launching something vulnerable in our environment but also expose us to a weakness that could be avoided and if we want more context we can see this portion for additional information.
While this doesn’t cover end-to-end container security but rather a facet of it to be aware of you should be scanning containers and minimize your image by removing as much as possible. I will cover more in cloud native security such as projects like Microsoft Mariner (open-source Linux distro).