Overview

Containers have transformed the way enterprise applications get deployed. All the applications run on these lightweight images that hold the application code and its dependencies. Since they do not depend on the underlying Operating System, they bring efficiency and portability that equips a smooth furnishing of resources and applications. Hence, securing containers from cyber threats and vulnerabilities becomes a crucial job.

Here, we will discuss some of the common Container Vulnerabilities and present a case study about Tech Vedika’s approach and the tools used for safeguarding one of the industry giant’s Containers from Vulnerability issues.

Common Container Vulnerabilities

1. Access Control Exploits: Neglecting the fundamental authentication and authorization to Docker exposes the entire system and makes it vulnerable to unauthorized access. The consoles should be configured using password policies to keep the AWS system secure.
2. Isolation Flaws: The Isolation of containers makes them robust from a security standpoint. However, isolation alone does not guarantee security, the containers should be secure by themselves. In case there is a compromised container, network segmentation prevents hackers from reaching the other containers.
3. Untrusted Containers: Containers are portable and easy to use. It often happens that the hackers upload malware containers to public repositories. Hence, before running the container, its security should be assessed.
4. Insecure Configuration of other components: The containers, the host Operating System, and the AWS accounts should be configured with the least privileges to secure the entire system. Docker commands should also be secured with passwords.
5. Secret Management: Sensitive credentials, API keys, and tokens at every level should be equally protected. Hard coding and rotating credentials could be an expensive affair. Weak cryptography key generation, authentication, and incorrect use of cookies exploit the application.
6. Container Image Vulnerabilities: The use of vulnerable container images leads to several security issues. It allows the malware to be installed and infect the community docker images.

Tech Vedika’s Case Study

For one of our reputed clients, there was a severe Incident reported for container vulnerability. Tech Vedika identified the root cause during security scanning and fixed those vulnerabilities in a quick time.

High priority security incident detected in our security scanning:

• Docker containers compromised
• Crypto mining activity observed

Action Taken:
Tech Vedika team performed security analysis using container vulnerability tools and found and fixed the incidents identified.

Approach:

1. Scanned Gateway Server for vulnerabilities using a 3rd party tool (SonarQube – testing code level).
2. As Zero vulnerabilities were found we moved to the next phase where we scanned the container level for docker container Vulnerability using third-party tools (Trivy).
3. Initially tested in a dev environment and identified the vulnerabilities.
4. Fixed the vulnerabilities that were found categorized as critical and high-priority.
   1. Types of Vulnerabilities-
      1. Container package level (only high-priority)
         1. Fixed by upgrading the packages.
         2. To make sure that the current images are not affected, a replica of gateway images was taken in the dev environment and then the packages were upgraded.
      2. Jar level (fixed both critical & high-priority)
   2. Retest the docker image by running the container.
   3. Strengthening docker security using the best practices checklist below:
      1. Keep host machine and docker updated to the latest patch
      2. Do not expose the docker daemon socket
      3. Create the user with different roles and permission from the admin user or root user
      4. Capabilities in Linux play a vital role, use wisely
      5. To prevent privileges escalation, never allow any privileges to the docker container
      6. [MOST IMPORTANT] Disable Inter-container communication (–icc=false)
      7. Always use Linux Security Modules
      8. Build time is also one of the most important factors
      9. Filesystem and volume should be in Read-Only format
   4. Implementing a WAF solution to stop attacks at the firewall level.
   5. After fixing the issues in the dev environment, the updates were deployed on production.

Tools Used by Tech Vedika

1. Trivy: This is a straightforward and all-inclusive third-party tool that scans containers and artifacts for any vulnerability/ misconfiguration/ secret. It scans Infrastructure as Code (IaC) files and also exposes the vulnerabilities of Operating systems and language packages. It can also detect the probable configuration issues that are risky for the AWS workload. Trivy also scans hardcoded secrets like passwords, API keys, and tokens.
2. Docker Security Checklist: This is another important tool used to secure the Docker from potential cyber threats. It is a set of points to be checked to ensure a robust Docker environment.

Some Critical Issues Found