In late 2016 we enlisted the help of security analysts and thought leaders Securosis to perform an in-depth best practices analysis of what companies should do to build a security program around containers. In the 14 months that passed, many things have evolved in the container (and now, cloud-native) ecosystem. So …
Continuous integration and continuous delivery (CI/CD) are two of the biggest trends in software development. As companies move to release higher quality software at a faster pace, developers and engineers need new approaches to building, testing, and delivering products. As a result, many companies are turning to …
This isn't a story about a Docker vulnerability; it's a story about how hackers are looking for unsecured Docker deployments where they can mine cryptocurrency. You shouldn't leave your Docker daemon unsecured any more than you would leave your mail server unsecured.
We’ve heard many accounts of attempted (sometimes …
Storage has been a hot topic for as long as containers have been around. According to a survey by Portworx, 26% of IT pros cite persistent storage as the most difficult challenge in adopting containers, and 44% blame inadequate tools as the main reason. Although containers are stateless by design, the need to store …
From a “humble” $762 million in 2016, containers are predicted to grow faster than any other technology this year (as well as the next) and are on the way to become a $2.7B industry by 2020.
Last week McKinsey & Company named container technology and DevOps as two of the top Ten trends redefining enterprise IT infrastructure and for good reason. No longer considered as “bleeding edge”, containers, combined with DevOps, are revolutionizing the way applications are built and deployed. In a recent survey …
In just about a week we will be live on stage at BlackHat 2017 with this tersely titled talk: Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers, and we are very excited.
Last week I attended DockerCon along with many of my colleagues at Aqua. It was a great event, with over 5,000 attendees, making it the biggest DockerCon ever. Also, this year 20% of attendees were women - still room for improvement, but we’re on the right track. As usual, it was packed with interesting announcements …
Would you ever give your keys to a stranger? That’s exactly what someone at IBM did: they left private keys to the Docker host environment in IBM’s Data Science Experience service accessible to the outside world. Wayne Chang, security consultant who found this, explains in his original report:
DevOps professionals continue to believe they can’t do their jobs properly because security slows down operations. Security pros, meanwhile, have largely failed to integrate security measures into DevOps initiative, resulting in unproductive friction.
RunC Like the Wind
Recently, an interesting vulnerability was discovered (CVE-2016-9962) that enables container escape to the host. The vulnerability stems from a bug found in opencontainers' runc code, which is used by several container engines, including Docker.