NorthCode logo

Hardening Docker Containers

- updated
Enhancing and hardening containers is important for several reasons. Here we list common risks and how to approach them.
Photo by Ismo Aro

Container hardening in a nutshell

Container hardening means the process of securing and fortifying containerized applications and their environments to protect them against potential attacks and vulnerabilities.

Bundle only what's needed

By including only the necessary software components and dependencies, you can reduce the risk of conflicts or compatibility issues. That way you'll also keep the attack surface area to a minimum.

Improved container efficiency

Optimized Docker image with no unnecessary overhead gives you several performance benefits. You can reduce operational costs, improve performance or improve scalability.

List of container problems where hardening helps

Due to the above mentioned reasons, we decided to list some of the most common problems in containerized development and their solutions:

Problem

Solution

Using multiple different untrusted external sources to the Docker image base increases complexity and creates cybersecurity problems.

The goal is to unify the Docker images with the security-hardened in-house pipelines, which will provide developers with both the confidence and security necessary to make changes, ultimately increasing productivity and job satisfaction.

Monolithic Docker images are being used, and their size is large.

Use controllably split in-house Docker images with separated pipelines (i.e. Linux-base -> middlewares -> applications).

Improve the reusability of Docker layers during deployment.

Minimize the toolset within Docker images and reduce attack vectors using either a traditional or distroless approach. Minimizing the content of containers also reduces the Docker image size, which can save bandwidth, speed up deployment, and align with green values.

Using untrusted sources for Docker images could lead to cybersecurity problems.

Strengthen and scan docker images within pipelines to ensure that only hardened and security-tested images are made available.

Non-root users should be used in the containers' runtime.

CISsecurity hardening guide has to be taken to use.

Recompiling has the potential to generate artifacts with different content.

Implement dependency management solutions, such as Renovate, and define dependencies in an idempotent manner.

Outdated docker images are being used in production at runtime.

Implement continuous scanning of the runtime environment and compare it against the latest Docker image artifacts.

Unsigned docker images are a security risk.

Sign docker images to improve docker content trust (DCT) and publisher signature.

By following these 6 steps in your company, you will ensure a secure, reliable and efficient container platform security.

For tailored solutions in container hardening, feel free to contact us!