As more and more companies are consuming containers, they need to rethink the security and compliance implications of containers.
The adoption of containers is creating some very serious concerns around security and compliance. Not many are looking at the issue the way Dirk Hohndel, VP and Chief Open Source Officer at VMware is looking at them.
“People look at containers as if they are something totally new and that change rules. They start treating containers differently. In reality, containers are packaging formats just like .rpms and .debs. Container packaging format is much more similar to .exe and .dmg of Windows and macOS where you basically ship a whole filesystem with all of your dependencies included. Since you are now including those dependencies you have to worry about those binaries – where they come from, how they were produced, and where are the corresponding sources and copyright notices,” said Hohndel.
Buried under all the excitement around containers, people are simply overlooking and not paying attention to these facts.
“I am worried about a rude awakening if there is a copyright troll or a concerned copyright owner who feels that their rights are being trampled and they start to enforce their rights. That could be very unfortunate,” he said.
“The standard industry practice is that if you develop a container, you start with something else that already exists. The question is who owns that something else?” he asked.
If you don’t own it, you don’t know what’s inside. You don’t know if the packages have known vulnerabilities. You don’t know if you are in violation of some licenses used by those components.
“How do you report the correct licenses, how do you give correct copyright notices and provide corresponding sources,” said Hohndel, “It’s about the way we package container images; it’s about packing formats.”
The Worst Container Practices
What’s seen as best practices in the container world are worst practices in the eyes of Hohndel.
“You will find tons of docker file on DockerHub. People are downloading these binaries from GitHub, making them executable and running in their containers. That’s a compliance and security nightmare,” he said.
Hohndel gave an example of one such bad practice.
“The official docker image of a very popular database added a repository from an independent company. Then they pinned all packages to that repository and run ‘apt update apt upgrade’. Which means now every single package could be replaced by packages from that repository. You have no control over them,” he warned, “You no longer know what you’re running from a security and compliance perspective.
VMware has been burnt before with compliance issues. It’s battling a court battle. I think, as a seasoned Open Source expert, who joined VMware from Intel, Hohndel is aware of the risks. He wants not only his company but every other company using open sources to be treading carefully, to be compliant and to be secure.
“If you look at some of the requirements to ship the corresponding source, you will find yourself into a tight spot if you run an Alpine container. It contains BusyBox, which we all know, has very strong feelings about providing the corresponding source,” he said, “If you run an Alpine container, do you actually have access to the corresponding sources that you have to show, according to the copyright. This is a topic that I think this industry isn’t paying enough attention to.”
It’s Better To Be Safe Than…
Hohndel has a piece of advice for companies. “One of the simplest things you can do to control what’s inside of these container images is to simply turn off the internet access to the environment where you build your containers. Everything needs to come from internal resources which are verified.”
The point is – take control of your containers and be safe.
Do you comply?