Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

You can admit it. You love Docker because it makes building, testing, and shipping software easier for you. The problem is that attackers love Docker, too. Even if you’re already scanning for Docker container vulnerabilities, your code could still create a data security risk. The good news is that OWASP has your back. Recognizing that developers may not be systems and network security specialists, OWASP established a project specifically focused on Docker container security. 

With the shorter version originally published in 2018 and the longer version published in 2019, the current iteration of the Top 10 sits in a GitHub repository. Essentially, the OWASP Docker Top 10 provides a threat model around containers and suggests security measures to mitigate threats. 

What are the threats to Docker containers?

The OWASP team breaks down the eight main threats into two primary categories of attacks to:

  • Host via network services, protocol flaw, or kernel exploit
  • Orchestration via network management backplane

The first five threats all start with the same initial attack vector, where attackers escape the application and container. However, from there, they engage in different behaviors:

  • Container escape: Kernel exploit to control all containers running on the host
  • Other containers via network: Using shell access to attack another container through the network.
  • Attacking orchestration tool via network: Using shell access then attacking the management interfaces or other orchestration tools’ attack surfaces 
  • Attacking the host via network: Using shell access and attacking an open port from the host
  • Attacking other resources via network: Using shell access and finding a network-based vulnerability to exploit

The last three threats cover attacks with different initial vectors:

  • Resource starvation: Exploiting a security condition from another container running on the same host
  • Host compromise: Compromising the host either through another container or the network
  • Integrity of images: Images containing malicious payloads passing from one step to the next in the CD pipeline

OWASP Docker Top 10

To protect Docker containers – or really any container if you can abstract the Docker-specific language OWASP uses – you can implement the security controls outlined below. 

D01 – Secure User Mapping

Applications should never run as root because when attackers escape the application, the privileges will follow them. You should run all microservices with the least privilege possible. To ensure this, you should:

  • Never use the –privileged flag
  • Configure the appropriate parameters for all user IDs or use Linux user namespaces

D02 – Patch Management Strategy