Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

20 Docker Security Tools Compared, Part 2

DZone's Guide to

20 Docker Security Tools Compared, Part 2

Looking for a new tool to help secure your Docker environments? Read on for a look at ten great choices that range from open source to paid solutions.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Welcome back! If you missed Part 1 (and the 12 Docker security solutions enumerated therein), you can check it out here!

Notary

Homepage:https://github.com/docker/notary

License: Open Source

Use Cases: Trusted image repository, trust management, and verifiability.

Image forgery and tampering is one major security concern for Docker-based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images.

Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels.

OpenSCAP

Homepage: https://www.open-scap.org/

License: Open Source.

Use Cases: Compliance and audit, certification.

OpenSCAP provides a suite of automated audit tools to examine the configuration and known vulnerabilities in your software, following the NIST-certified Security Content Automation Protocol (SCAP).

You can create your own custom assertions and rules and routinely check that any software deployed in your organization strictly abides.

This set of tools is not only focused on security itself, but also on providing the formal tests and reports that you may need to meet an official security standard.

Docker context: The OpenSCAP suite provides a Docker-specific tool oscap-docker to audit your images, assessing both running containers and cold images.

REMnux

Homepage: https://remnux.org/

License: Open Source.

Use Cases: Forensics.

A security-oriented distribution based on Ubuntu. REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software, commonly known as forensics. As you can guess, this system bundles a vast amount of pre-installed analysis and security tools: Wireshark, ClamAV, tcpextract, Rhino debugger, Sysdig, vivisect... just to name a few.

REMnux aims to be the swiss knife that you carry around in a USB stick in case you suspect any of your systems have been compromised.

Docker context: The REMnux project conveniently provides several of its integrated security tools as Docker containers, so you can instantly launch difficult-to-install security applications when you most need them.

SELinux

Homepage: https://selinuxproject.org

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

Security-Enhanced Linux (SELinux) is a Linux kernel security module. It is often compared with AppArmor, and it's also a Mandatory Access Control system. SELinux provides security capabilities from mandatory access controls to mandatory integrity controls, role-based access control (RBAC) and type enforcement architecture.

SELinux has a reputation for being particularly complex but powerful, fine-grained and flexible.

Docker context: Similarly to AppArmor, SELinux offers an extra layer of access policies and isolation between the host and the containerized apps.

Seccomp

Homepage: https://www.kernel.org

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

Seccomp is not so much a tool but rather a sandboxing facility in the Linux kernel. You can think of it as an iptables rules-based firewall but for system calls. Newer versions use Berkeley Packet Filter (BPF) rules to filter syscalls and control how they are handled.

With Seccomp, you can selectively choose which syscalls are forbidden/allowed to each container. For example, you can forbid file-permissions manipulations inside your container.

You may have noticed the similarities with Falco, both are closely related to the Linux Syscall API. This article compares these two (with AppArmor and SELinux) solutions. TL;DR: Unlike the others, Falco integrates a rich, high-level, container specific context to build rules.

Docker context: Docker has used Seccomp since version 1.10 of the Docker Engine, Docker has its own JSON-based DSL that allows you to define profiles that will be compiled to seccomp filters.

StackRox

Homepage: https://www.stackrox.com

License: Commercial.

Use Cases: Runtime protection, machine learning, pre-production analysis.

StackRox feature proposal revolves around the concepts of "Adaptive security" and auto-discovery of components and behaviors. Highly focused on machine learning, StackRox aims to provide security that will evolve with your platform.

StackRox provides the usual features of commercial security platforms like cold image scanning or default security profiles a la SELinux.

StackRox understands containers and the images in your environment but can't enforce policies based services determined by your orchestrator. They focus more on pre-production and run-time workloads rather than forensics and incident response.

Sysdig Secure

Homepage: https://www.sysdig.com/product/secure

License: Commercial

Use Cases: Runtime security, forensics and audit, hybrid environments (containers and traditional deployment), performance monitoring and troubleshooting, available both as SaaS and on-prem.

Sysdig Secure is a powerful run-time security and forensics solution for your containers and microservices. Secure is part of the Sysdig Container Intelligence Platform, and as the rest of the family comes out-of-the-box with deep container visibility and container orchestrator tools integration, including Kubernetes, Docker, AWS ECS, and Mesos.

Sysdig Secure protects your entire infrastructure: containers and hosts as well as the logical services that run on top of them. Sysdig Secure also provides full stack forensics capabilities for pre- and post-attack investigation.

Sysdig provides full performance monitoring and troubleshooting for your environment. A single instrumentation both for monitoring and security with no added overhead.

Sysdig

Homepage: https://www.sysdig.org/

License: Open source, commercial products built on top of the free technology.

Use Cases: Anomalous behavior debugging, forensics.

Sysdig is a full-system exploration, troubleshooting, and debugging tool for Linux systems. It records all system calls made by any process, allowing system administrators to debug the operating system or any processes running on it.

Sysdig has a command line interface with a syntax similar to tcpdump and a ncurses interface to visually navigate and filter through the events, in a similar fashion to htop or Wireshark. The system call capture files allow you to perform forensics on your containers even if they are long gone.

Tenable Flawcheck

Image title

Homepage: https://www.tenable.com/flawcheck

License: Commercial.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Tenable, the company perhaps best known for Nessus, the security scanner, acquired Flawcheck, a specific container-focused security solution.

FlawCheck, like other commercial tools in this list, stores container images and scans them as they're built, before they can reach production. FlawCheck leverages Tenable/Nessus know-how and database of vulnerabilities, malware and intrusion vectors, and adapts it to containerized and agile CI/CD environments.

Twistlock

Homepage: https://www.twistlock.com/

License: Commercial.

Use Cases: Pre-production analysis, runtime protection, compliance & audit, etc.

A commercial security suite built to support containerized environments: vulnerability management, access control, and image scanning based standards compliance.

Twistlock integrates with your continuous integration/continuous delivery pipeline, providing native plugins for popular tools like Jenkins or TeamCity and callable webhooks, so you can trigger the indexing and scanning process for every build and testing environment. Twistlock is known for their popular scanning technology but their run-time security only enforces actions against containers, not their underlying hosts, or orchestrated services. 


We hope you find this Docker security tools list useful. If you have suggestions or additional tools we should add, feel free to ping us at @sysdig or reach us on the Sysdig community Slack group.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,docker security ,container security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}