Docker continues to release additions to its software and infrastructure. On Nov. 16, the company announced new security enhancements that safeguard and protect Dockerized distributed applications—without impacting the developer’s workflow.
Unveiled during the company’s keynote address at DockerCon EU, the security enhancements—built on top of the Docker Content Trust Framework—are around hardware signing of container images, which directly addresses the trust and integrity of application content, according to David Messina, vice president of marketing for Docker.
“Docker Content Trust’s hardware signing is the world’s first touch-to-sign code signing system using YubiKeys, enabling secure software creation for Docker developers, sysadmin and third-party ISVs,” he said.
The Docker Content Trust framework enables developers to control verification of the image publisher, and it offers security for software distribution. The capabilities will make sure that the publisher of the content is verified, the chain of trust is protected, and containerized content is verified via image scanning, according to the company’s press release.
“We’ve enabled developers and IT Ops to benefit from a more secure environment, without having to learn a new set of commands or to be trained on a deep set of security principles,” said Solomon Hykes, CTO and chief architect of Docker. “Docker security works as part of an integrated component without any disruption to developer productivity while providing IT with the appropriate level of security controls.”
The hardware signing is possible through support for Yubico’s YubiKey, which is hardware that provides content security for containers. The Yubikey works “in unison with Docker Content Trust and is implemented to work within a user’s existing workflow, without requiring users to learn a new set of commands,” said Messina.
With YubiKey 4, Docker developers can sign or encrypt code digitally during initial development, and they can protect the code against malware or other attacks, according to the company’s announcement. This allows organizations to be sure that no untrusted party has accessed the containerized code in the process.
“Docker Content Trust and digital signing can be implemented by developers by simply typing a command and inserting a hardware key, their workflow is not interrupted, ensuring productivity without compromising security,” said Messina.
Additionally, Docker is offering a secure service for its Official Repos, which is a collection of repositories. It provides direct visibility into the content security of ISV software, and if there is an issue, the ISV can fix vulnerabilities to upgrade the security profile of their content.
“The end result is that developers can rely on Official Repos as a curated source for secure, high-integrity content,” said Messina.
Hardware signing is available in Docker Experimental and Notary 0.1. Image scanning and vulnerability detection are available for all Official Repos on Docker Hub, and Official Repos have been signed and scanned by Docker.