What security issues are lurking in your production applications, waiting to bite you?
This is a surprisingly difficult question. Despite the availability of more security tools and techniques than ever, most teams aren't confident that their applications are free of dangerous vulnerabilities before shipping. Why?
Engineering teams and security teams both want to ship secure software, and know that they need to shift left to do this, but it's hard to make this a reality. Current tools and practices are geared around scanning for and reporting on vulnerabilities. As a result, developers are flooded by a firehose of noisy scan results that are hard to make sense of and tempting to ignore.
Shipping more secure software requires developer engagement, so it needs to be easier for dev teams to adopt security practices into the development process. Paying down a mountain of security debt just to keep shipping is seldom realistic.
Simple security is better security
There are two very powerful ways to improve security that are easier to adopt into the development process — keeping up to date, and detecting changes that make things worse.
- Keep up to date — Moving to newer versions of packages or container base images when they become available means that you get the latest fixes from the maintainers and reduce known vulnerabilities over time. Integrating updates into your development flow means that you take up fixes as they become available rather than having to remember to update periodically.
- Detect changes that make things worse — Looking at the security impact of changes when they happen makes it much easier to address critical issues before they get out into the wild. Knowing that a build of an app introduces a new high-severity vulnerability compared to the version running in production means that you can intervene and ensure that changes don't make the app less secure. Over time, this ratchets up the security of your applications and helps align developers and security teams.
While these approaches are conceptually simple, they are hard to adopt without tooling support. It's easier for a service to track new releases and suggest the necessary changes than for a human. Detecting changes that make things worse turns out to be a difficult problem, especially for Dockerfiles. While various tools track Docker base image vulnerabilities, built images heading to production may have a very different security footprint due to package updates and other changes at build time.
At Atomist, we've been working on solving these problems and just shipped an early access version of a service that helps you keep up to date and know when new vulnerabilities are introduced. Initially, we're focusing on Docker image security and will apply the approach to other aspects of application security over time.
The initial ship, available now, supports:
- Keeping Docker base image tags updated — Helps minimize vulnerabilities and ensures consistent builds by keeping base image tag references in your Dockerfiles up to date. See a recent blog by Atomist engineer James Carnegie for why this is is important, whatever tools you use.
- Checking for unsupported Docker images — Detects when tags for official Docker images are no longer supported. People often set tags and lose track of when an image is no longer supported by the maintainer, meaning that bugs and vulnerabilities don’t get fixed. Atomist co-founder, Jim Clark, wrote a blog breaking down what's up with official images.
- Dockerfile best practices — Avoid common Dockerfile misconfigurations and usage that can cause security and operational problems. This feature scans Dockerfiles checking for issues related to Docker's best practices for Dockerfiles. This uses hadolint/ShellCheck under the covers.
- Providing an overview of Docker image status across your repositories in a single screen. See which images have been built from which repositories and whether the base images are up to date and supported.
Soon we'll be adding support for keeping new image vulnerabilities out of production that goes beyond simple base image tracking by linking commits to built images so developers and security engineers are on the same page.