What We Can Learn from the Docker Data Breach

Potentially 190,000 out of approximately 1 million user records from DockerHub breached. Attackers are suspected to have obtained tokens that gave them the ability to alter or disrupt GitHub-based automatic build processes.

Here is my take:

Did Docker Respond Quickly and Appropriately

This is a hard one. A good response is one where the affected vendor instantly comes clear by exactly explaining what happened, what data was lost, and how this will be prevented in the future. If Docker truly responded within 24 hours of learning about the breach, then this is still within the boundaries of what is reasonable.

For How Long Has this Been Going On?

To me, this is the key question to ask Docker now. Docker told the public when they found out about the breach, however, we need to know if Docker managed to find out the exact time of when these accounts were breached. Here you can take a look at Docker’s official Statement from April 29, 2019.

How Could this Happen?

Docker says that non-certified container images were responsible for the breach and is encouraging the use of certified images only. And this is the crux. If you are using uncertified container images, from any source, you are risking bad things to happen.

What Docker Should Do

I believe, simple two-factor authentication for DockerHub would at least contain the risk of this to happen again. Kicking uncertified images off of DockerHub would take a away a lot of its appeal. Therefore, I hesitate to slam Docker too much for this breach.

What You Should Do

Simple: You should only allow certified container images to be part of your build process. Enforcement needs to be automatic, so that your build pipeline automatically rejects unsigned components. If developers want to play with these unsigned components outside of your DevOps pipeline, this is a more interesting story where an isolated development environment would be best.

Bottom Line

When using a public container registry or any other public assets for your build pipeline, you need to have your own security checks and balances in place to protect your company. Going to your boss and pointing fingers at Docker will not get you far. Docker itself is providing a great service that 1 million users benefit from and as long as we use it with care instead of blind trust, this is a good thing.

More Opinions from the Trenches: Please Read: https://news.ycombinator.com/item?id=17062288

Original article appear on my blog: https://www.linkedin.com/pulse/docker-data-breach-what-we-learn-from-public-reaction-torsten-volk/?published=t