In recent weeks, news broke that Docker registry misconfigurations could have exposed countless organizations to data theft and supply-chain attacks, following a discovery by Palo Alto Networks’ Unit 42 researchers.
For background, Docker registries are servers that store and organize Docker container images. They contain grouped application code, dependent libraries and OS files. Because they enable access to business-critical applications and data, it is absolutely essential that they are thoroughly secured. But based on Unit 42’s discovery, this unfortunately, isn’t always the case.
The researchers discovered that 941 Docker registries were exposed to the internet. In addition, 117 registries were able to be accessed without authentication. “There were 2,956 repositories and 15,887 tags in these registries,” as well, according to Infosecurity Magazine, and “3,000 applications and almost 16,000 unique versions of these were exposed.”
Many of these registries actually allowed for “push” operations in which cybercriminals could replace legitimate container images in applications with other, altered container images containing back doors. Others allowed hackers to encrypt or completely delete the registries and hold them up for ransom. And some let users “pull” and run the container images.
The findings show that security is lagging the move to DevOps, namely that organizations have been deploying Docker registries faster than they have been securing them.
When it comes to application security, container registries and other parts of the CI/CD pipeline often should be treated as critical infrastructure. Allowing anonymous users to push new content into the Docker registry or delete existing content, is certainly a mistake and shows organizations that security isn’t keeping up with the pace of change.
After remediating these misconfigurations, companies can add network perimeter defenses to prevent these registries from being remotely accessed or implement zero trust authentication solutions to their Docker container registries.
In addition, after securing the container registry itself, organizations should secure the container images held in those container registries. Automated application security testing solutions are the best approach on an ongoing basis. These solutions monitor applications and their components for vulnerabilities and look for risk, introduced to software development lifecycle.
It’s better to identify the issues early, in these cases, than wait until they are exploited by malicious actors. Taking these steps now can prevent catastrophe down the line.