Docker security scanning

Recapping DockerCon 2021 with Snyk: Red Ventures, Docker container security, and more

DockerCon 2021 brought containerization experts together to discuss all things Docker, from building containerized applications and running container images to improving container security. 

In this post, we’ll recap a live panel discussing how container security fits into the new cloud native era, how Red Ventures scaled container security scanning with Snyk, and ways to make vulnerability remediation easier. We’ll also cover the closing interview with Snyk at DockerCon 2021 about our expanding partnership with Docker.

Container security in a cloud native world

During the live security panel moderated by Peter McKee, Head of Developer Relations at Docker, development and security professionals discussed the changing security landscape in today’s cloud native world. Liran Tal, Snyk’s Director of Developer Advocacy, joined Liz Rice, Chief Open Source Officer at Isovalent, Justin Cormack, Docker’s CTO, and Andrew Martin, CEO of ControlPlane on the panel. 

All the panelists agreed that organizations need to shift security left and give developers the resources they need to find and fix security issues early on. Security scanning during development is seen as a “quick win” for improving the security posture of the organization.

At the same time, it’s still crucial to scan for vulnerabilities throughout the continuous integration and continuous delivery (CI/CD) pipeline. A common problem for many organizations is dependency drift, where libraries, or even Docker base images in local development environments, may be slightly different than they are in testing or production environments. That means developers can upgrade base images locally, but there could still be container vulnerabilities if the organization isn’t scanning for issues in later stages of the CI/CD pipeline.

A recurring theme throughout the talk was that in a cloud native world, where developers are more responsible for application deployments with containers and infrastructure as code, it’s crucial to take a holistic approach to AppSec. Container scanning is a key part of this, but malicious actors will also target custom code, third-party dependencies, configurations, and more. That’s why it’s crucial to scan for issues within every component of modern cloud native applications.

“Malicious attackers will take the path of least resistance,” said Tal. “Hackers will take any low hanging fruit, so it’s important to holistically mitigate the risk of anything that could be automatically exploited.”

Watch the full panel discussion recording: LIVE Panel on Security

Scaling container scanning at Red Ventures

During the talk An Ounce of Prevention: Curing Insecure Container Images, Eric Smalling, Senior Developer Advocate at Snyk spoke with Seyfat Khamidov, Software Engineer at Red Ventures. They discussed shifting security left to empower DevSecOps and build a scalable container image pipeline. 

Red Ventures — a large portfolio of online brands and digital platforms — provided an excellent example of container scanning at scale. The company relies heavily on Docker containers and uses Snyk to secure thousands of images automatically. Along with using minimal base images and validating the authenticity of images, Red Ventures believes scanning for vulnerabilities within images and dependencies on a regular basis is critical. 

Docker Scan, powered by Snyk, enables developers to identify vulnerabilities early in the software development lifecycle (SDLC). This scanning feature is available on both Docker Desktop for Windows/Mac and Docker CE for Linux. The feature not only detects security issues, but also provides actionable recommendations for remediating container vulnerabilities automatically. By integrating container scanning early within the development pipeline, Red Ventures ensures developers are fixing vulnerabilities before they merge code.  

“Docker Scan allows developers to apply security as part of their everyday workflows,” explained Khamidov. “Instead of making security an afterthought, this helps implement security as early as possible within the SDLC.”

For container security at scale, Red Ventures has created centralized repositories on GitHub where Snyk Container monitors and automatically creates pull requests to fix vulnerabilities for the internal images their developers use as the basis for their applications. Once their internal base images are fixed, they can generate  pull requests automatically to update the developer’s repositories where these images are being used.. This centralized approach, combined with using the Snyk CLI to automatically scan all containers across the organization, gives Red Ventures confidence that its 1300+ images are secure.

Watch the full presentation from Eric and Seyfat: An Ounce of Prevention: Curing Insecure Container Images

Choosing the right base images to mitigate container risk

When it comes to container security, detecting vulnerabilities is only half the battle. Once developers have a list of potential issues, it can be overwhelming to fix them all. Matt Jarvis, Senior Developer Advocate at Snyk, discussed ways to efficiently remediate a large number of vulnerabilities by choosing better base images.

There are a number of layers that make up Docker containers, from the base image and its parent images to custom code and third-party dependencies. For example, a popular base image can have numerous parent images, each of which can include dependencies and images with potential vulnerabilities. These upstream images need to be well-vetted for broad adoption, strong maintenance, and active support to ensure the security of containers downstream.

“It’s likely that we started from a base image and then we added some of our own things during the build process like configuration changes and custom software,” explained Jarvis. “Understanding how the software we’re scanning got into our images in the first place is the key to deciding on our strategy for minimizing vulnerabilities.”

Snyk’s container scanning results include a range of base image upgrades and alternative image recommendations to eliminate the greatest number of vulnerabilities with the easiest change possible. By focusing on quick wins like this, developers can drastically reduce their time spent on fixing container security issues. For more recommendations and best practices, check out these tips for scanning and building secure images from Docker and Snyk.

Watch the full presentation from Matt Jarvis: My Container Image Has 500 Vulnerabilities, Now What?

Snyk’s final thoughts from DockerCon 2021

Finally, Simon Maple, Field CTO at Snyk, had an interview with SiliconANGLE’s John Furrier about the growing partnership between Snyk and Docker. As they’re both developer-first companies, it was a natural fit for Snyk to power container security for DockerHub, Docker Desktop, and more recently, Docker CE on Linux.

Snyk sees itself as a developer tooling company, so it made sense to bring security to Docker where developers spend their time. That means the partnership combines Docker’s ease of deploying code within a container with Snyk’s automated vulnerability detection and remediation to provide a secure development experience.

We’re still tireless in making sure developers don’t just have visibility into security, but are very much empowered in terms of fixing issues,” Maple concluded. “Secure development is what we’re striving for with our partnership with Docker.”

Learn more about Snyk’s partnership with Docker.