Introduction to Docker Security 101

What is Docker?

Why Should you learn Docker?

  1. Dockerized apps don’t require their own operating system. So maintaining apps doesn’t also mean maintaining the system on which they run. Only your host system’s OS needs to be updated and secured, leaving you time to do the thousand other things SysAdmins need to do!
  2. Each Dockerized app gets its own set of dependencies. There’s no longer any need to worry about conflicting versions of libraries. If one app needs PHP version 5.2 and another needs 5.4, with Docker that’s no problem!
  3. Most of the heavy lifting is already done. The Docker community maintains the images at Docker Hub, which means setting up complete application environments is a simple one-line command. Rather than taking the time to set up the system your app requires, you can devote your time to developing your application.
  4. Controlling Docker containers can be fully automated. Remember that single-line command for setting up an environment? It can be scripted or automated like any other command-line tool. That means you can programmatically scale and deploy applications without wasting valuable hands-on time.

Docker architecture and its components

  1. Docker Client (CLI):-The Docker client ( docker ) is the primary way that many Docker users interact with Docker. When you use commands such as docker run, the client sends these commands to docker, which carries them out. The docker command uses the Docker API.
  2. Docker Server (Daemon):-Docker Enterprise allows you to run both Windows Server and Linux nodes in the same cluster, allowing organizations to secure and manage a diverse set of containerized applications.

What is docker security?

What are the types of attacks on docker?

Getting started with security best practices

1. Prefer minimal base images:-

  • Choose images with fewer OS libraries and tools lower the risk and attack surface of the container
  • Prefer alpine-based images over full-blown system OS images

2. Least privileged user:-

3. Sign and verify images to mitigate:-

  • Verify the trust and authenticity of the images you pull
  • Sign your images with the help of Notar

4. Find, fix and monitor for open source vulnerabilities

5. Don’t leak sensitive information to Docker images

  • Use multi-stage builds
  • Use the Docker secrets feature to mount sensitive files without caching them (supported only from Docker 18.04)
  • Use a .dockerignore file to avoid a hazardous COPY instruction, which pulls insensitive files that are part of the build context

6. Use fixed tags for immutability

  • A verbose image tag with which to pin both version and operating system, for example: FROM node:8-alpine
  • An image hash to pin the exact contact, for example: FROM node:

7. Use COPY instead of ADD:-

  • Use COPY, unless ADD is specifically required.

8. Use metadata labels:-

9. Use a linter

--

--

--

Security Engineer |Help in building apps more secure|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Spear Phishing, Cloud Jacking, and Island Hopping: The New Fraud is Here

Clever Decoys Via Chaff Bugs To Ward Off Self-Driving Car Cyber-Hackers

{UPDATE} Word Stars - Find Hidden Words Hack Free Resources Generator

MetaGods Discord AMA Recap — 24 April

PrivacySwap defi class is back.The

Cloud WAF: Why a Checkbox Isn’t Enough

Fow Airdrop Get 300 Token(45$) + REF

Blockchain this Week

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Siddhanth Dwivedi

Siddhanth Dwivedi

Security Engineer |Help in building apps more secure|

More from Medium

VirtualBox Metasploitable 2 Setup

Log4j vulnerability notes — Draft

Security Testing — Applications

Application security notes: Who is an application security engineer?