This application relates to software containers, and more particularly to security features for software containers.
Virtual machines have gained popularity for a variety of computing tasks. A virtual machine is a software implementation of a physical machine that executes programs like a physical machine. A typical virtual machine includes an entire additional operating system that runs on top of a host operating system, and one or more applications that run within that additional operating system. Virtual machines enable administrators to run several operating system instances at the same time on a single server. A specialized application called a hypervisor manages the virtual machines that run on a given server. Running multiple operating system instances on a single physical machine, however, is resource-intensive.
More recently, software containers are being used as an alternative to running multiple virtual machines. Software containers allow administrators to virtualize a single application rather than an entire operating system. A software container includes a software application plus dependencies required to run the application bundled into one package. The dependencies may include libraries, binaries, and/or configuration files, for example. By containerizing the application and its dependencies, differences in operating system distributions and underlying infrastructure are abstracted away, making it easy to migrate an application between various environments (e.g., development, testing, and production). Multiple containers can be run in isolation from each other on a single host operating system, which provides an alternative to running multiple virtual machines and their accompanying operating systems on a single server. Because software containers allow an administrator to virtualize a single application rather than an entire operating system, running a given quantity of software containers is less resource intensive than running the same quantity of virtual machines. One platform for building and running software containers is DOCKER.
As is the case with non-containerized software, software containers can be susceptible to software security vulnerabilities, which are security flaws, glitches, or weaknesses found in software that can be exploited. Software security vulnerabilities are often software bugs, for example not checking user input size.
Enterprises seek visibility into which vulnerabilities exist in software within their infrastructure for security and compliance reasons. Although security is important, in many cases the main driver is compliance, because business continuity may depend on being able to prove to auditors that one's company is compliant with all relevant regulations. As an example, the Payment Card Industry Data Security Standard (PCI-DSS) requires that software not have vulnerabilities that are marked as high or medium severity.
The process of sorting through and resolving identified vulnerabilities is a tedious manual process. Scanners are software tools that can be used to identify security vulnerabilities based on, for example, matching known patterns and signatures against software network activity and/or file system layout. Scanners sometimes identify seemingly relevant results that upon a subsequent manual investigation end up not being relevant for a given environment.
The Common Vulnerability Scoring System (CVSS) is a formula to define the severity of a vulnerability. Some administrators use the CVSS to prioritize patching vulnerabilities, but determining these scores can be a tedious process as well.
Applying patches for relevant vulnerabilities can also require a lot of effort, as patching may involve determining a list of patches to be applied (as discussed above), applying those patches, and then testing to determine whether the patched environments still perform as intended. This can cause a potentially large amount of software container downtime.