Organizations are increasingly facing new challenges in trying to protect their software supply chain. This has become especially difficult as the workforce has transitioned to a more distributed model with organizations scaling and onboarding more developers on distributed teams. With the number of software supply-chain attacks increasing by 650% in 2021, coordinating all of these developers introduces serious security, management, and visibility challenges for organizations.
We recently hosted a webinar, Securing the Software Supply Chain with Docker Business which is now available on-demand if you missed it. In the webinar, Docker’s CTO Justin Cormack and Customer Success Engineer Nikhi Anand walked through common security challenges, best practices for securing content, how Docker is helping to address the recent Log4j vulnerability, what Docker is actively doing to help keep developer’s work secure, and how Docker Business helps organizations standardize their use of Docker in a way that is scalable and more secure.
Watch a recording of the security webinar on-demand, or keep reading to catch up on what you’ve missed.
Best Practices for Securing Content: Docker Trusted Content
One of the key starting points for securing the supply chain is your developer’s laptops. It’s important that you have insight into which images your developers are using, where they’re coming from, how they’re maintained, and if they conform to current security best practices. Docker trusted content programs like Docker Official Images and the Docker Verified Publisher program provide developers with validation that these images come from trusted sources, reducing the risk of pulling malicious images from impostor repositories.
Docker Official Images are a curated set of Docker repositories hosted on Docker Hub. These images have clear documentation, promote best practices, and are designed for the most common use cases.
The Docker Verified Publisher Program enables Independent Software Vendors (ISVs), development tools vendors, and platform providers to distribute Dockerized content through Docker Hub. The Verified Publisher badge included on the Docker Hub repositories indicates that these repositories are published by Docker partners and are qualified to be included in the developer secure supply chain.
Pulling and running arbitrary public images opens businesses to security risks. Trusted content, including Docker Official Images and the Docker Verified Publisher Images, delivers the reliable building blocks needed for safer application development. These images are maintained, updated on a regular basis, and follow security best practices.
During the webinar, Docker CTO, Justin Cormack addressed the recent Log4j 2 vulnerability CVE-2021-44228. The Docker engineering team has been working on several solutions to help our users including:
- Shipped several fixes to improve Docker vulnerability scanning so it’s able to pick up Log4j issues in container images. The team is tweaking this as needed.
- Added a note in the Docker Hub scanning interface that shows images affected by Log4j
- Shipped a feature that shows whether Docker Official Images are vulnerable to Log4j or have been fixed.
- Put up a page on our website that shows Docker Official Images that contain vulnerable versions and information on the current status updates for Docker Official Images.
Docker’s own infrastructure and Docker Desktop are not affected by the Log4j 2 vulnerability. Docker largely uses Go code to build our applications, not Java. Although we do use some Java applications internally, we have confirmed we are not vulnerable to CVE-2021-44228 and CVE-2021-45046.
What Makes Docker Desktop Secure?
Docker Desktop is an integrated product designed to be a secure desktop system for users. In terms of mitigating security risks, Docker Desktop has a secure lightweight Linux VM that is managed by Docker. As well as setting up this VM with secure defaults, Docker Desktop keeps this VM and all other components up to date for you overtime by applying curl patches or security fixes as required. Docker Desktop also offers a choice of a Microsoft Hyper-V or WSL 2 backend. The Hyper-V backend we ship is fully managed by Docker.
Docker Business offers a control plane with features like Image Access Management and (soon to ship) Registry Access Management so admins can control and manage the images their developers are working with. We’ve been working on additional observability features and we’d love to hear your feedback, please upvote and let us know which features would be most useful for your developers on our roadmap.
Docker vs DIY from a Security Standpoint
One common challenge businesses face to successfully drive innovation is how to ensure developers have the tools they need to simplify their work and enable them to create value while spending minimal time on work that isn’t core to the business. Most business have a strong preference to buy commercial software rather than trying to build their own, some of the key factors in making these decisions are:
- Cost of time
- Opportunity cost
- Time to value
- Cost of security risks
- Does DIY with open source software make sense for our organization?
If developers are spending time building DIY development projects that aren’t core to the business, it could have a big impact on time to value and return on investment. If you’re considering a DIY with an open source software and Docker Engine approach it’s important to consider whether or not your software teams and engineering resources are prepared and equipped to keep all of the components of a DIY solution updated and all vulnerabilities patched over time.
When you take into account several factories including the cost of time, and time to value, and whether a DIY solution is the best for your organization, the data shows that most organizations will be better off buying commercial software rather than trying to build their own solutions.
Docker SSO is Coming
Some final callouts from the webinar include the announcement that SSO is coming in January 2022 (this month). SSO will enable users to authenticate using their organizations standard identity provider to access Docker, this is one of our most requested features and is included with a Docker Business subscription.
Whitepaper: Build Modern and Secure Applications at Scale with Docker Business
To learn more about some of the topics discussed in the webinar and how Docker Business helps secure the software supply chain with advanced features and capabilities, check out our new Docker Business whitepaper.
Docker’s CTO Justin Cormack and Customer Success Engineer Nikhi Anand answered Q&A live during the webinar, we’ve captured those webinar questions and answers below.
Is personal data collected with a Docker Desktop Subscription?
We don’t collect any personal data or PII on Docker Desktop. We do collect anonymized data to better understand how people are using our products so we can improve them however all users have the option to opt out of anonymous data collection in their settings. In the future, we will offer a Docker Business feature that allows everyone in an organization to opt out–folks need to opt out on an individual basis for now but this feature is on our roadmap.
Is Docker Business subscription a SaaS offering?
Yes the Docker Business control plane is offered as a service but Docker Desktop itself runs stand-alone on a developer’s workstation. We understand developers like to work offline, so admins can set whether they require team members to login and you can use Docker Desktop disconnected from the business control plane.
How should I handle log4j in my containers?
Rebuilding and updating are your best solutions right now. The most important thing is to update to a fixed version as soon as you can. If you’re using Docker Official Images and deploying as is, look at the release notes on the Docker Official Images site and it’ll tell you if that version has been fixed. We provided scanning tools in the latest release of Docker Desktop that can detect if you have managed to remediate everything effectively so you can use those tools to help make sure that you’ve updated and that you haven’t missed anything.
What are the benefits of updating to the latest version of Docker Desktop?
It is highly recommended to upgrade to the newest version. The longer that you stay on aging software, the greater security risk that you create for yourself. Specifically, old software doesn’t have patches of recently discovered security vulnerabilities, new, frequently-updated software (one of the features of Docker Desktop) always has the latest patches.
Which one is more secure, Hyper-V or WSL 2?
The general consensus right now is that Hyper-V is a little more secure and easier to manage especially with Docker Desktop Hyper-V management and updates. WSL 2 gives you more features and a lot of developers enjoy using WSL 2 on Windows so Docker provides both options. The right option for you and your team really depends on your organization’s needs and requirements.
If we deploy an image to our clients, do the clients need to have a Docker Business subscription to run the image if they have more than 150 employees?
Docker Desktop is licensed based on the person who is using it so yes, your client will need a Docker Business subscription. We’ve had a lot of questions about this type of usage and we know that a lot of folks are using Docker Desktop in this way so we’re interested in learning more about which kind of integrated extensions to Docker Desktop would be helpful for the community. We have a roadmap issue around Desktop Extensions, please share your feedback with us there!
Can you talk a little about container signing and validation and how it’s implemented.
We shipped an integrated project called Notary into Docker Hub years ago. We’re working with Microsoft, Amazon, and other partners on an updated version of this and we’re looking at it as the new container signing framework. We’re planning for this to come out in 2022.
Conclusion and additional resources
Thanks for joining us for our Securing the Software Supply Chain with Docker Business webinar. Below are some additional resources to check out if you want to learn more about Docker Security practices and Docker Business.
- The Grace Period for the Docker Subscription Service Agreement Ends Soon – Here’s What You Need to Know
- On-demand webinar: Management & Security at Scale with Docker Business
- Web page: Considerations for Evaluating Docker Desktop Alternatives
- Whitepaper: Build Modern and Secure Applications at Scale with Docker Business
- Blog: Secure Software Supply Chain Best Practices