November 19, 2020

1218 words 6 mins read

Most Docker container images have critical flaws

Most Docker container images have critical flaws

According to new research, over two million container images hosted on the Docker Hub repository harbor at least one critical vulnerability. In an analysis carried out by cyber security firm Prevasio on four million image containers, over half (51%) contained at least one critical vulnerability. SEE MORE Getting started with Docker SEE MORE Mirantis snaps up Docker’s enterprise platform SEE MOR

E ‘Doki’ malware attacks Docker servers using Dogecoin SEE MORE Docker partners with AWS to help take the complexity out of containerisation The research also found incidents of container images carrying embedded malware. It found 6,432 malicious or potentially harmful containers, representing 0.16% of all publicly available images at Docker Hub. “Our analysis of malicious containers also shows that quite a few images contain a dynamic payload. That is, an image in its original form does not have a malicious binary. However, at runtime, it might be scripted to download a source of a coin miner, to then compile and execute it,” said Sergei Shevchenko, CTO at Prevasio. In its report, Prevasio said if a developer takes a shortcut by fetching a pre-built image instead of composing a new image from scratch, there’s a viable risk that such pre-built images might come with a Trojan installed. If such an image ends up in production, the attackers may potentially access such containerized applications remotely via a backdoor. Mark Bower, senior vice president at comforte AG, told ITPro that platforms like Kubernetes enable immense application delivery power. However, the built-in security controls reflect classical data-at-rest and transport encryption, perimeter, and access control-based security.  “While these controls are important, the last decade has seen leading enterprises and data processors shift towards data-centric over perimeter controls to combat advanced malware, ransomware and insider risk to sensitive data,” Bower said. “Fundamentally, to thwart the variations of malware and attacks from misconfiguration or API exploitation, a data-centric approach is vital even with advanced container and app orchestration ecosystems to avoid data compromise or attacks that can create havoc for data-hungry enterprises depending on them.” Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), told ITPro that when selecting an image from Docker Hub, a development team is implicitly stating that they trust the security practices of the author of that container image.  “Such implicit trust is risky from a security perspective, which is why many organizations are now creating hardened container images where the image hardening process is managed by a dedicated team skilled in operating system hardening which is separate from the core development team. These hardened images are then pushed to an internal registry and policies are defined that only allow images originating from hardened images in that internal registry to execute in a production cluster,” Mackey said.

Date: 2020-12-02

URL: http://feeds.itpro.co.uk/~r/ITPro/Today/~3/jjEY8Uo4eQ0/most-docker-container-images-have-critical-flaws

itpro.co.uk
Lexmark C3426dw review: Laser precision (2020-11-25) Lexmarks GO Line series of lasers is aimed at businesses with relatively light printing needs and within that family the C3426dw is the top-end colour model It delivers good speeds and excellent output quality for a low starting price: the trade-off is running costs which are a little steeper than youll find with other lasers The starter cartridges supplied with the C3426dw are only rated for 1500..
What is AES encryption? (2019-09-30) Since Roman times encryption has been essential in keeping communications between parties private and secure Today it is more important than ever in keeping our online purchasing and banking safe form cybercriminals SEE MORE The truth about encryption SEE MORE What is public key infrastructure PKI? SEE MORE What is PGP? There are several forms of encryption that can be used to secure data whether ..
Facebook may finally launch its Libra cryptocurrency in early 2021 (2020-11-27) The embattled Libra cryptocurrency built by Facebook will make its long-awaited launch as early as January after a tumultuous two years in developmentand rising scepticism among backers and regulators The social media giant announced its own stablecoin in June 2019 backed by a host of big names in the finance sector as a means for customers to send and receive payments without the need for a banki..
Python founder Guido van Rossum joins Microsoft (2020-11-13) Renowned programmer and founder of the Python programming language Guido van Rossum has come out of retirement to join Microsofts development team More than a year after announcing his retirement van Rossum has decided to take up a role with the companys Development Division with a view to making Python generally better to use and not just for Windows 10 SEE MORE The ultimate guide to becoming a p..
IT Pro 20/20: Why tech can’t close the diversity gap (2020-12-01) Welcome to the tenthissue ofIT Pro 20/20 ourdigital magazine that brings all of the previous months most important tech issues into clear view Diversity has always been a challenge for the technology industry Its one of those few industries that struggles to maintain a varied talent pool with white males still taking the single biggest share of the employee demographic This is a problem weve known..
Survey finds web app attacks are up 800% compared to 2019 (2020-11-23) Web application attacks have increased by over 800% according to the State of the Web Security for H1 2020 report Published by CDN and cloud security provider CDNetworks the report found that during the first half of this year web application attacks which use malformed requests or injected payloads to steal data modify data or obtain privileges illicitly increased nine times relative to H1 2019 C..
17 Windows 10 problems - and how to fix them (2019-11-04) Windows is the best-selling and most popular operating system in the world In the last forty years the OS has been central to both business and consumer computing as the glue to run various computing functions for many Most people whether at work or at home have used a version of Windows in one form or another The Microsoft system is almost everywhere barring MacOS and Linux The latest version Win..
What is public key infrastructure (PKI)? (2020-05-27) One of the most important elements of digital encryption and cryptography is public key infrastructure PKI which is an essential component of security technology PKI governs the management and deployment of digital certification and public key encryption by establishing the roles policies and procedures required This crucial element is normally deployed to keep information conveyed through digital..
What is phishing? (2018-09-18) Balanced scepticism is anundervalued trait these days Treating every email with the same scrutiny is obviously a tiring job but sadly individuals not doing so is why phishing is such a successful hacking technique It is a rather personalattack method attempting to trick you into believing that a trusted source - the taxman your employer even your friends - needs something from you This could be in..
NHS Test and Trace suffers second software glitch in a week (2020-11-04) More than 7000 people have been given the wrong dates for self-isolation due to another software glitch plaguingthe UKs Test and Trace app Users of the service that had come into contact with a person that had tested positive for coronavirus were given incorrect start and end dates for quarantine according to Sky News SEE MORE The NHS has yet to assess the risks of holding Test and Trace data for ..
docker aws kubernetes security cyber security
Compact and bijou: Shrinking IT infrastructures

Compact and bijou: Shrinking IT infrastructures

September 14, 2020

To manage the rapid changes taking place across the commercial landscape, adding more IT infrastructure has become the norm. However, in a post-cor world, reverting to a leaner IT infrastructure that’s better suited to the new normal of work has moved to the top of the IT agendas of many companies. Speaking to IT Pro, Tim Pieters, platinion manager at the Boston Consulting Group, explains: “Have n
Style vs substance: how to build an agile digital offering in a post-Covid age

Style vs substance: how to build an agile digital offering in a post-Covid age

August 28, 2020

Agencies must strike a balance between innovation and durability in creating products that are crisis-resilient, says Andrew Dunbar There's nothing like a global health pandemic to throw your priority list into sharp focus. For medics, that means saving lives on the front line. For agencies, it's the less heroic - but also pivotal - role of sharpening their digital toolkits to withst
Enterprise hits and misses - HR tech gets a hard look Uber and Lyft get an election day reprieve and algorithms get a fairness backlash

Enterprise hits and misses - HR tech gets a hard look Uber and Lyft get an election day reprieve and algorithms get a fairness backlash

July 28, 2020

Enterprise hits and misses - HR tech gets a hard look, Uber and Lyft get an election day reprieve, and algorithms get a fairness backlash Jon Reed Mon, 11/09/2020 - 16:34 Summary: This week - HR tech is murky, but a closer look at the HR Tech show clears the view. Uber and Lyft get good news on election day, but the issues of the gig economy linger. Algorithms-in-practice prove
Cloud native explained An interview with Cheryl Hung VP Ecosystem at CNCF

Cloud native explained An interview with Cheryl Hung VP Ecosystem at CNCF

June 26, 2020

The containers, Kubernetes and microservices revolution has been bubbling away for some time now, but IT leaders could be excused for having a limited understanding of the whys and wherefores of a topic that can sometimes seem like a bewildering mix of technical minutiae and marketing babble. Indeed, a recent survey by Computing Delta found that only a third of the IT leaders polled had a firm gra
Oracle announces new dual-region UK Government Cloud operating from data centres in London and Wales

Oracle announces new dual-region UK Government Cloud operating from data centres in London and Wales

June 22, 2020

Data centres in England and Wales are linked by a high speed backbone Oracle has announced a 'dual-region Government Cloud', private cloud infrastructure designed specifically for the UK government's needs to store and process official information and transactions securely. The dual-region cloud consists of two data centres for disaster recovery purposes - an existing facility in Lon
Sonrai Security Raises $20M to Uncover and Map Cloud Platform Security Risks

Sonrai Security Raises $20M to Uncover and Map Cloud Platform Security Risks

June 20, 2020

Brendan Hannigan and Sandy Bird are repeat entrepreneurs. They founded Q1 Labs, a company they started, scaled, and sold to IBM for ~$600M. The duo is now building Sonrai Security, an enterprise identity and data governance platform for AWS, Azure, Google Cloud, and Kubernetes. Hannigan joined AlleyWatch to share more about the company, the process of fundraising, and the company’s recent funding
What is digital transformation?

What is digital transformation?

June 16, 2020

‘Digital transformation’ is one of those phrases you may dismiss as business jargon, but it’s so much more than that. It can play a crucial role in evolving and growing your business. Most organisations will have gone through some sort of digital transformation in their lifetime. The right technology is often key to staying competitive, and during this challenging and uncertain year, adding digit
Harness integrates its continuous software delivery platform with Amazon ECS

Harness integrates its continuous software delivery platform with Amazon ECS

November 18, 2020

Continuous software delivery startup Harness Inc. said today it’s integrating its platform with Amazon Web Services Inc.’s Elastic Container Service in a move that will enable users to run applications in Docker containers with less scripting and redundancy. Amazon ECS is a fully managed container orchestration service that rivals the better known open-source Kubernetes service. [] The post Harnes
Latest container moves by AWS signal customer preference for a hybrid and serverless world

Latest container moves by AWS signal customer preference for a hybrid and serverless world

November 18, 2020

The container-focused announcements from Amazon Web Services Inc. today contained one very important word: anywhere. The cloud provider announced ECS Anywhere and EKS Anywhere as new hybrid container capabilities that can be run on-premises and in the cloud. While EKS is Kubernetes-specific and ECS handles general container orchestration, the most recent news from AWS recognizes that customers wan