Docker expands its trusted container offerings
We all use container-based images to build applications, but can you trust them? Docker’s expansion of its trusted content offering, the Docker Verified Publisher Program, will make it easier.
Hands up, how many of you build your own containerized-based applications? Be honest now! The truth is very few people do. It’s just so much easier to grab the pre-made bits and pieces that lie behind the special sauce on top of your application. Unfortunately, those ready-made application images all too often contain security errors. That’s why Docker has expanded and improved its trusted content offerings for software developers with the launch of the Docker Verified Publisher Program.
If, like most people, you’re grabbing container images willy-nilly, stop. From Docker Hub alone there are now 13 billion image pulls per month from nearly 8 million repositories with over 13 million developers.
Now, how many of those images do you think are up-to-date with their content’s security patches? How many are misconfigured? How many of them are just bad? I’ll tell you: too many of them.
Do you know what’s even worse? A few of them have been infected with malware or even come with built-in backdoors. Doesn’t that just give you a warm, fuzzy, safe feeling about grabbing images for production?
Other companies have realized that there’s a real need for trustworthy containerized images. Bitnami, now part of VMware, opened this field. Docker, which shed its container engine and control plane to Mirantis in 2019, has been focusing on improving and securing its Docker Hub, the most popular service for finding and sharing container images.
SEE: Virtualization policy (TechRepublic Premium)
Thanks to the SolarWinds software supply chain security fiasco, we’ve all had our noses rubbed into the importance of knowing what’s really going on in our code. This updated Docker approach lowers your risk of exposure to malicious content while you build applications. Using reliable content at every stage ensures applications are secure and minimizes time and money spent on resolving security issues.
What Docker Verified Publisher brings to the table is a version of Docker Hub that provides access to Docker differentiated and trusted content. These are application images you can use as reliable building blocks for your applications.
This program has over 200 companies and is growing rapidly. Datadog, Red Hat, and VMware are the latest three software publishers to join. It also includes popular developer components from Bitnami and VMware’s Spring software, RedHat Universal Base Images (UBI) and Canonical Ubuntu.
Besides being a trusted content distributor for other independent software vendors, Docker, also announced the availability of Docker Official Images into public and private registries from Amazon Web Services and Mirantis.
Besides being able to download these trusted images into your own servers and private clouds, you download these images from several registries including Amazon Elastic Container Registry Public Gallery and Mirantis Secure Registry.
“We are thrilled to announce the Docker Verified Publisher Program’s availability to even more publishers and the distribution of Docker Official Images to even more developers through even more registries,” said Docker CEO Scott Johnston. “This greatly expands choice for developers to complement Docker Official Images and solidifies the Docker platform and Docker Hub as the de facto standard for trusted, secure container images.”
Michael Gerstenhaber, Datadog’s Senior Director of Product Management, added, “More than half of applications run on containerized infrastructure, and Docker Hub is the primary source for container images, according to our published studies. It is critical that we provide a secure and robust source for our images, and we are excited to be recognized as a Docker Verified Publisher. You can find any Datadog image to start securely monitoring the performance of your infrastructure and applications.”
Sounds like somewhere you’d want to want to go for safe components for your own programs, doesn’t it? And, if you want to join the Docker Verified Publisher Program, you can. Given Docker’s popularity, this could be a very smart move for ISVs.