{"id":270151,"date":"2021-06-09T15:00:00","date_gmt":"2021-06-09T12:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/"},"modified":"2021-06-09T15:00:00","modified_gmt":"2021-06-09T12:00:00","slug":"how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/","title":{"rendered":"#How Docker\u2019s Verified Publisher Program Helps Your Security \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a41eebe660d0\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a41eebe660d0\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/#Popularity_Makes_You_a_Target\" >Popularity Makes You a Target<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/#The_Problem_with_Insecure_Images\" >The Problem with Insecure Images<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/#The_Verified_Publisher_Program\" >The Verified Publisher Program<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-dockers-verified-publisher-program-helps-your-security-cloudsavvy-it\/#A_Welcome_Initiative\" >A Welcome Initiative<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How Docker\u2019s Verified Publisher Program Helps Your Security \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone wp-image-503 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/06\/c454d054.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Docker logo\" width=\"700\" height=\"300\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Docker makes spinning up containers a breeze. But how do you know if a container pulled from Docker Hub contains backdoors or malware? Docker\u2019s Verified Publisher initiative addresses that very concern.<\/p>\n<h2 id=\"popularity-makes-you-a-target\"><span class=\"ez-toc-section\" id=\"Popularity_Makes_You_a_Target\"><\/span>Popularity Makes You a Target<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Cybercriminals like nothing more than easy routes to victims\u2019 machines and, needless to say, the more the merrier. If a product or platform becomes hugely popular, you can bet that it catches the attention of the threat actors who will try to leverage that success to their advantage.<\/p>\n<p>Docker is a world leader in containerization. For many people, it\u2019s the first name that springs to mind when containers are mentioned. Containers allow developers to wrap an <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication and its dependencies in a self-contained package called an image. This makes distributing the package easier because everything that\u2019s required to run the application is contained inside the image. There are never unmet dependencies, regardless of what machine the container is running on.<\/p>\n<p>Containers can be thought of as minimalist virtual machines. If they\u2019re providing an application, they don\u2019t need an operating system inside the container. They just need the application\u2019s dependencies. This reduces the size of the images and gives performance boosts when the container is running. The contents of the container run on the host computer\u2019s operating system, isolated from other processes.<\/p>\n<p>Because there are fewer things inside a container requiring resources and computational power compared to a virtual machine, they can run on more modest hardware. That means you can have more of them running on a single piece of hardware, with good performance, than you can on traditional virtual machines. Even containers that are built to provide different Linux distributions are just filesystem snapshots of the distribution. They are run using the kernel of the host computer.<\/p>\n<p>Much of the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> and applications inside containers are open source. This means that they can be freely distributed and used by anyone. Docker containers allow you to adopt the maxim that servers should be treated like cattle, not pets. The benefits of containers have not only driven the widespread adoption of continuous integration and continuous deployment (CI\/CD), they have also enabled it.<\/p>\n<p>Mirantis bought Docker in November of 2019. At that time, Docker Enterprise was used by 30% of the Fortune 100 and 20% of the Global 500. Today, the Docker Hub services a mind-blowing 13 billion image pulls\u2014container downloads\u2014per month from nearly 8 million repositories.<\/p>\n<p>Those figures are far too impressive for cybercriminals to ignore. What could be simpler than creating compromised and malicious images, uploading them to Docker Hub, and waiting for unsuspecting users to download and use them?<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What Does Docker Do, and When Should You Use It?<\/em><\/strong><\/p>\n<h2 id=\"the-problem-with-insecure-images\"><span class=\"ez-toc-section\" id=\"The_Problem_with_Insecure_Images\"><\/span>The Problem with Insecure Images<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There\u2019s an inherent problem with pulling images from a repository and using them. You don\u2019t know if they\u2019ve been created with security in mind, or if the software components inside the container are the current versions and still within their supported life cycle. Have they had all available bug fixes and security patches applied to them? Or worse, do they contain malicious code that has been deliberately planted by threat actors?<\/p>\n<p>Docker faces a similar problem to Apple and Google. Apple and Google have to try to police the App Store and Google Play for malicious apps. Docker is taking a slightly different approach. Docker removes container images that are found to be malicious. It\u2019s also providing a verification scheme for container publishers.<\/p>\n<p>In the past, Docker removed a collection of images that were uploaded by the Docker account docker123321. There were 17 or so containers from this single account that contained malicious code. The images were offered as innocent containers supporting apps such as Apache Tomcat and MySQL, but in addition, the containers harbored code that provided reverse SSH shells to the attackers, allowing them to access the containers whenever it suited them.<\/p>\n<p>Python reverse shells and Bash reverse shells were found, and one container even contained the threat actor\u2019s SSH key. This gave them remote access without the need for a password. Other containers were found to host cryptomining software. This meant that the containers were cryptojacked ahead of time. The unsuspecting user would be paying for the electricity and losing processing power to fund the cybercriminal\u2019s Monero cryptomining.<\/p>\n<p>These attacks are a blend of Trojan horse and supply chain attacks.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How the Linux Foundation&#8217;s Software Signing Combats Supply Chain Attacks<\/em><\/strong><\/p>\n<h2 id=\"docker-verified-publisher\"><span class=\"ez-toc-section\" id=\"The_Verified_Publisher_Program\"><\/span>The Verified Publisher Program<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker already provides a collection of container images known as the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/hub.docker.com\/search?q=&amp;type=image&amp;image_filter=official\">Official Images<\/a>. These images are a curated set of containers that have been reviewed by a dedicated Docker team.<\/p>\n<p>The team collaborates with the upstream maintainers and providers of the software in the containers. The Official Images are examples of Docker container best practices, including clear documentation and the application of security patches. Docker Official Images have recently been available to a wider audience through more repositories.<\/p>\n<p>The\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/docker-hub\/publish\/\">Verified Publisher<\/a>\u00a0initiative provides access to Docker content that\u2019s differentiated by coming from known, verified, and trusted providers. There are over 200 software vendors signed up and ratified by the scheme, and the numbers are rising quickly. Images from verified publishers can be used with high confidence in mission-critical applications and infrastructure.<\/p>\n<p>The Verified Publisher and Official Images programs are complementary schemes. Many of the container images that are provided by Verified Publishers will also be Official Images. A pair of checkboxes on the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/hub.docker.com\/search?type=image\">Docker Hub Explore<\/a>\u00a0page lets you specify that the search results are constrained to include Official Images, images provided by Verified Publishers, or both.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11772\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/4a47a0db.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Verified Publishers and Official Images checkboxes on Docker Hub\" width=\"644\" height=\"350\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2 id=\"goose\"><span class=\"ez-toc-section\" id=\"A_Welcome_Initiative\"><\/span>A Welcome Initiative<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The SolarWinds and CodeCov attacks have shown just how effective supply-chain attacks can be. Attacking a central point that then compromises downstream consumers of products and services is an efficient distribution method. Compromised containers are a perfect way to distribute this type of attack. It plays on the belief that certain sources of information and software are inherently safe and can be trusted. And <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>ly, that\u2019s the case. But as we\u2019ve seen, it\u2019s a big assumption.<\/p>\n<p>It\u2019s vital that organizations are clear about the provenance and integrity of containers that they pull back from repositories. Official Images and Verified Publishers can be thought of as a form of certification that makes it easier to know what can be trusted right out of the box.<\/p>\n<p>If you make Docker images that are publicly available, and you think that becoming a Verified Publisher will be advantageous to you, you can start the process of\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.docker.com\/partners\/programs\">applying to be in the scheme<\/a>\u00a0on the Verified Publisher web page.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Codecov Hacked! What To Do Now if You Use Codecov<\/em><\/strong>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11766\/how-dockers-verified-publisher-program-helps-your-security\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How Docker\u2019s Verified Publisher Program Helps Your Security \u2013 CloudSavvy IT&#8221; Docker makes spinning up containers a breeze. But how do you know if a container pulled from Docker Hub contains backdoors or malware? Docker\u2019s Verified Publisher initiative addresses that very concern. Popularity Makes You a Target Cybercriminals like nothing more than easy routes to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":270152,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/06\/c454d054.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-270151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/270151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=270151"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/270151\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/270152"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=270151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=270151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=270151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}