The ability to find and use a free public Docker base image makes it easy to bootstrap the creation of a new Microservice.

However, “easy” doesn’t equate to “good.” Using a Docker base image is much like including an external library. It’s really important to know what baggage you are dragging into your project, particularly security issues. Who wants their service to be the cause of a security breach? (SANS has a great whitepaper on this topic.)

So, what do you do? Read the code? (See what Jack Diederich has to say about this in the excellent Stop Writing Classes Video.) Most don’t have the time or skills. Is the code even available? Not always. Ideally, you get initial insight into security issues providing enough detail for more research if necessary. Tripwire for DevOps provides that essential insight and vets your Microservice for security issues.

As part of the team building Tripwire for DevOps, I first took a look at popular public base-images, those images typically found in the FROM line of a Dockerfile. I built a large Docker Registry of base-images and used Tripwire for DevOps to evaluate hundreds of versions (tags) to get a picture of how well our system would work on day one. This was not a new idea; in fact, researchers at North Carolina State University did just what I did over a year ago.

The results were interesting and our system found vulnerabilities in many base images repositories.

For example, we evaluated a variety of OpenJDK Docker images for Java from the Official Repository for OpenJDK, the Azul OpenJDK repository and Oracle’s OpenJDK repository. The majority of the tags passed our default Quality Gate, where any image with CVSS v2 or v3 vulnerabilities above a medium value is (Read more...)