Spring vulnerability and other high-risk vulnerabilities occur frequently recently. In order to help users better find and reduce the security risks in the image and reduce the potential security risks in the production environment, from 00:00 on April 1, 2022 to 24:00 on April 15, 2022, Alibaba Cloud Container Image Service Enterprise Edition (ACR EE) supports free trial experience of cloud security scan engine. Supports a maximum of 10,000 scans for different image versions (different from image Digest, the same Digest can be scanned only once). If your current enterprise version of the instance is not the default open to use, can ask the repair order (address: selfservice.console.aliyun.com/ticket/cate… ACR EE provides in-depth cooperation with cloud security to fully support scanning for system vulnerabilities, application vulnerabilities, baseline checks, and malicious samples in container images, providing continuous risk detection and automatic repair capabilities.

Container safety Importance

With the increasing cloud usage in enterprises, more and more enterprises are choosing to use container architectures in their production environments. According to the report [1] released by CNCF in 2020, the proportion of enterprises applying containers in production increased from 84% last year to 92% in 2021. Gartner predicts [2] that 95% of enterprises will be based on cloud native platforms by 2025. Iresearch shows in the Research Report of Chinese Container Cloud Market that 84.7%[3] (43.9% have used and 40.8% plan to use) Chinese enterprises have or plan to use containers in 2020. Similarly, endogenous Security in software development will become an important indicator to evaluate the level of enterprise DevOps maturity. 48%[4] of teams that practice DevOps value Security features most.

However, due to the agile flexibility, high-density deployment and open reuse of container applications, users have great security concerns while enjoying the benefits of cloud native. Tripwire conducted a 2019 survey of 311 IT security professionals and found that 60% of organizations had experienced container security incidents [5], whether IT was the Kubernetes cluster intrusion or the Docker Hub’s frequent exposure to images containing vulnerabilities and malicious programs. More and more enterprises are paying attention to container security best practices.

Ali Cloud container image service enterprise edition

Ali Cloud Container Image Service Enterprise Edition (ACR EE for short) is an enterprise-level cloud native application product management platform, providing container image, Helm Chart and other OCI products secure hosting and efficient distribution capabilities. In the DevSecOps scenario, enterprise customers can use the ACR cloud native application delivery chain to achieve efficient and secure cloud native application delivery and accelerate enterprise innovation iterations. In the scenario of global multi-regional collaboration, business going abroad, and GoChina, enterprise customers can use the global synchronization capability, and at the same time combine the global unified domain name to achieve the nearest access to improve the efficiency of distribution operation and maintenance. In large-scale distribution and AI large image training reasoning scenarios, enterprises can use ACR P2P distribution or on-demand distribution capabilities to further improve the efficiency of deployment iteration. Check the details: www.aliyun.com/product/acr

What is an enhanced scan engine?

The enhanced scan engine is provided by the in-depth cooperation between ACR EE and cloud Security Center. Compared with the current popular open source scan engine versions (Clair, etc.), it provides more accurate vulnerability screening capabilities (all vulnerabilities are operated safely by professional teams to ensure effectiveness and significantly reduce the false positive rate). In addition, ACR EE provides batch and automatic scanning capabilities, supports scanning ranges of different granularity in namespaces and warehouses, and supports automatic and large-scale scanning for different scenarios. In addition, ACR EE provides event notification capabilities that enable integration with customers’ existing DevOps processes.

The scan engine supports the following scan risks:

• System vulnerability: support common mainstream operating system vulnerability identification, and support one-click repair. For example, Linux kernel vulnerabilities, insecure system software packages, and insecure Java SDK.

• Application vulnerabilities: Provides the image application vulnerability scanning function to scan for vulnerabilities in container-related middleware, and supports detection of system service weak passwords, system service vulnerabilities, and application service vulnerabilities. For example, fastJSON remote code execution vulnerability, Apache Log4j2 remote code execution vulnerability, Spring Framework remote code execution vulnerability, Apache Hadoop information disclosure vulnerability, Apache Tomcat information disclosure vulnerability, etc.

• Baseline examination: Provide image security baseline examination function, scanning for you container baseline security risks existing in the assets, operating system support and services (database, server software, containers, etc.) of weak password authentication, password, and account permissions, strategy, access control, security audit and intrusion prevention security configuration, and provides the test results, This section provides hardening suggestions for existing risk configurations. For example, Access Key leakage, unauthorized Access, and service configuration.

• Malicious samples: Provides the detection capability of malicious samples, displays the container security threats in assets, and helps you locate the locations of malicious samples. In this way, you can recover malicious samples based on the locations, greatly reducing the security risks of using containers. For example, discover the back door (Webshell) files, self-mutating Trojan, backdoor programs, etc.

How do I enable an enhanced scan engine?

  1. On the Enterprise Edition Instance Management page, choose Security and Trust > Image Scan and click the Switch button in the upper right corner to switch the scan engine to the cloud Security scan engine. As shown below:

.

  1. Create scan rules on the image scan page. Currently, automatic scan of namespace and warehouse scan rules is supported. Alternatively, you can manually trigger scan for full risk identification of stock mirrors within the rule range. It is recommended that you configure scan event notification to synchronize the scan results through staking, HTTP, or HTTPS after the image scan is complete.

  2. After the scan rule is created, click Scan Now to view the scan task status and final risk status.

  1. Click to view details to confirm the security risks of container images from multiple dimensions including system vulnerability, application vulnerability, baseline check and malicious samples. As shown in the figure below, we can see that the recent Spring and other high-risk vulnerabilities contained in the image have been analyzed and identified.

  1. At the same time, the configured nail robot also receives corresponding notification and alarm (also supports HTTP/HTTPS notification).

Cloud native application delivery chains help enterprises implement DevSecOps

In addition to supporting deep risk identification and repair of container images, ACR EE also provides cloud native application delivery chain capabilities and supports flexible security policies to ensure secure and efficient delivery of products online. At the same time, each link in the cloud native application delivery chain can also be integrated into your CI/CD processes (Jenkins Pipeline, GitLab Runner, etc.).

1. Upgrade the Enterprise instance specs to Advanced. On the Instance Overview page, click Cloud Native Delivery Chain > Delivery Chain, and click Create Delivery Chain. On the security scan node, block subsequent delivery of container images when a high-risk vulnerability occurs. You can delete the original risky image or backup it.

2. Within the scope of the delivery chain, a container image with high-risk risks is automatically pushed. Security scanning is automatically triggered and security policies are executed to block the deployment of risky images.

  1. If the image has a system vulnerability, it can be fixed with one click after the delivery chain is broken

• The delivery chain is interrupted

• Check all risk items and click one-click repair

• Wait for the image fix to complete. By default, after the fix is complete, a new image with tag ending in _fixed will be built and delivery chain execution will be triggered again

• It can be observed that there are no previous vulnerabilities after security scanning of the repaired image, and the delivery chain is successfully completed. Meanwhile, you can also see the comparison of the risk status between the original image and the repaired image on the image version page

The appendix

[1]Cloud Native Survey 2020 www.cncf.io/blog/2020/1…

[2] Gartner: cloud will become the core of the new digital experience www.gartner.com/cn/newsroom…

[3] China container cloud market research report 2020 – YiRuiYun native series (a) www.iresearch.com.cn/Detail/repo…

[4] in 2020, the China enterprise application development research – YiRuiYun native series (2) www.iresearch.com.cn/Detail/repo…

[5] 60% of the Organizations suffering a Container Security Incident in 2018, Finds Study www.tripwire.com/state-of-se… Release the latest information of cloud native technology, collect the most complete content of cloud native technology, hold cloud native activities and live broadcast regularly, and release ali products and user best practices. Explore the cloud native technology with you and share the cloud native content you need.

Pay attention to [Alibaba Cloud native] public account, get more cloud native real-time information!