Docker Announces New Security Enhancements
November 16, 2015

Docker, the open platform for distributed applications, announced new security enhancements that safeguard and protect Dockerized distributed applications, while preserving developer agility.

This security offering includes hardware signing of container images, content auditing through image scanning and vulnerability detection and granular access control policies with user namespaces.

Hardware signing and scanning of container images directly addresses the trust and integrity of application content. Both are universal considerations in the application lifecycle and are becoming a central focus for organizations with Dockerized distributed applications in production, which accounts for 40 percent of all organizations using Docker. These new capabilities, in combination with Docker’s existing security options, ensure the publisher of the content is verified, chain of trust is protected and containerized content is verified via image scanning.

“It has been our goal from the beginning to develop a framework that secures Dockerized distributed applications throughout the entire application lifecycle,“ said Solomon Hykes, CTO and Chief Architect of Docker. “With this latest set of capabilities, we continue to drive our users and ecosystem forward with industry-first innovations and best practices that advance the end-to-end security of distributed applications. Furthermore, we’ve enabled developers and IT ops to benefit from a more secure environment, without having to learn a new set of commands or to be trained on a deep set of security principles. Docker security works as part an integrated component without any disruption to developer productivity while providing IT with the appropriate level of security controls .”

This new security enhancement builds on Docker Content Trust, a framework that allows verification of the image publisher, and offers users a solution that meets the strongest security standard for software distribution. Based on Notary and The Update Framework (TUF), a secure general design for the problem of software distribution and updates, Docker Content Trust delivers the highest level of security without compromising developer agility. With these advancements, users have a solution that works across any infrastructure, offering unprecedented security for Dockerized distributed applications. Prior to Docker Content Trust, IT operations had no way to validate content. Docker Content Trust not only verifies the publisher, but it also ensures the integrity of the content.

Docker Content Trust’s hardware signing is made available through support for the Yubico’s YubiKey, the first hardware key to provide content security for containers. Together, Docker and Yubico have deployed the world’s first touch-to-sign code signing system using YubiKeys, enabling secure software creation for Docker developers, sysadmin and third-party ISVs. With the YubiKey 4, Docker users can digitally sign code during initial development and through subsequent updates to ensure the integrity of the Dockerized application throughout the application pipeline.

Docker is also offering a new secure service for its Official Repos that provides direct visibility into the content security of ISV software that is part of this set of images. Docker image scanning and vulnerability detection provides the industry’s first container-optimized capability for granular auditing of images, presenting the results to ISVs and sharing the final output for Docker users to make decisions on which content to use based on their security policies. As part of the service, if an issue is detected, the ISV can fix any vulnerabilities to upgrade the security profile of their content. Because Official Repos is also integrated with Docker Content Trust, users are able to establish the validity of the publisher and as well as the integrity of the image content. The end result is that IT organizations can rely on Official Repos as a curated source for secure, high-integrity content.

This new capability addresses IT operations concerns about getting information regarding what’s inside the container. Users for the first time are presented with automated insights that give them the instant visibility they need to determine if they want to use that image or not. Previously IT operations would have to rely on the information published by each ISV on the state of their content and have to actively monitor the CVEs (Common Vulnerability and Exposures) for each one. With Docker, ISVs will have an opportunity to market their up-to-date secure content, with thorough details on what’s inside the container image, to a user community that is pulling 4,000 containers a minute.

Introduced as part of the 1.9 Experimental release, user namespaces gives IT operations the ability to separate container and Docker daemon-level privileges to assign privileges for each container by user group. This means for the first time containers themselves don’t have access to root on the host; only the Docker daemon does. Additionally, IT operations will lock down hosts to a restricted group of sysadmins per security best practices.

Also with this capability, IT ops can establish more granular access control rights, enabling them to establish explicit permissions for different Dockerized services by departments or teams and enabling those groups to work within the bounds of the privileges that have been set. This separation also prevents one organization from having control over another organization’s application services.

Hardware signing is available in Docker Experimental and Notary 0.1.

Image scanning and vulnerability detection is now available for all Official Repos on Docker Hub. All Official Repos have been signed and scanned by Docker, Inc.

User namespaces is available in Docker Experimental.

Share this

Industry News

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023

DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.

March 13, 2023

Descope has raised $53M in seed funding and emerged from stealth to launch a frictionless, secure, and developer-friendly authentication and user management platform.

March 09, 2023

Loft Labs announced Loft v3 with new capabilities and flexibility for platform teams to build and enable their development teams with a self-service Kubernetes.

March 09, 2023

AWS Application Composer is now generally available.