About Cody Halbleib
Cody Halbleib is a Senior Consultant on the Software team. His family is his partner, Jamie, and his Border Collie mix, Walter.
This site uses cookies to enhance your browsing experience and deliver personalized content. By continuing to use this site, you consent to our use of cookies.
COOKIE POLICY
Containerized applications are becoming more popular with each passing year. A reason for this rise in popularity could be the pivotal role that they play in Continuous Delivery by enabling fast and automated deployment of software services. As the popularity of software containers increases, they are inspiring complementary technologies that automate other development tasks. One of these complementary technologies is Clair, which performs automatic vulnerability scanning on software containers.
Clair identifies security issues that developers introduce in their container code. The vanilla process for using Clair is as follows:
Clair becomes more interesting paired with a build server like Jenkins. Given proper configuration, Clair’s process becomes:
Clair has a definite place on software projects that have a contractual need for security and a continuous delivery pipeline using software containers. Depending on security needs, Clair could replace, or at minimum augment, traditional vulnerability scanning. Given that Clair is free to use, Clair’s cost is set up and maintenance.
Docker is required to follow along with this demonstration. Once Docker is installed, use the Dockerfile below to create an Ubuntu image that contains a version of SSL that is susceptible to Heartbleed attacks.
#Dockerfile
FROM ubuntu:precise-20160303
#Install WGet
RUN apt-get update
RUN apt-get -f install
RUN apt-get install -y wget
#Install an OpenSSL vulnerable to Heartbleed (CVE-2014-0160)
RUN wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436462/+files/openssl_1.0.1-4ubuntu5.11_amd64.deb –no-check-certificate
RUN dpkg -i openssl_1.0.1-4ubuntu5.11_amd64.deb
After creating the insecure Docker image, the next step is to download and install Clair from here. The installation choice used for this demonstration was the Docker Compose solution. Once Clair is installed, it can be used via querying its API or through the analyze-local-images tool. Submit the insecure Docker image created above to Clair for analysis and it will catch the Heartbleed vulnerability.
There are several paid-subscription services like Docker Hub, Docker Cloud, and Quay Enterprise that incorporate security scans into their pipeline. This approach configures automatic security scanning without having to rely on a subscription service. Prior to completing this demonstration, remove the vulnerable Docker image. Open a Terminal on Mac/Linux or MinGW on Windows and type “docker rmi vulnerable” to remove the image.
Clair is just one of the technologies being generated to support containers and Continuous Delivery. We work with organizations to help assess DevOps strategy, processes and tooling, as well as provide best practices to support the successful implementation of DevOps. Read our recent DevOps assessment for a Transportation Data Company to learn more.
Cody Halbleib is a Senior Consultant on the Software team. His family is his partner, Jamie, and his Border Collie mix, Walter.