Understanding the Quality of Container Security Vulnerability Detection Tools

by   Omar Javed, et al.

Virtualization enables information and communications technology industry to better manage computing resources. In this regard, improvements in virtualization approaches together with the need for consistent runtime environment, lower overhead and smaller package size has led to the growing adoption of containers. This is a technology, which packages an application, its dependencies and Operating System (OS) to run as an isolated unit. However, the pressing concern with the use of containers is its susceptibility to security attacks. Consequently, a number of container scanning tools are available for detecting container security vulnerabilities. Therefore, in this study, we investigate the quality of existing container scanning tools by proposing two metrics that reflects coverage and accuracy. We analyze 59 popular public container images for Java applications hosted on DockerHub using different container scanning tools (such as Clair, Anchore, and Microscanner). Our findings show that existing container scanning approach does not detect application package vulnerabilities. Furthermore, existing tools do not have high accuracy, since 34 performing tool. Finally, we also demonstrate quality of Docker images for Java applications hosted on DockerHub by assessing complete vulnerability landscape i.e., number of vulnerabilities detected in images.


A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools

Background: Modern software uses many third-party libraries and framewor...

On Security Measures for Containerized Applications Imaged with Docker

Linux containers have risen in popularity in the last few years, making ...

Calcium Vulnerability Scanner (CVS): A Deeper Look

Traditional vulnerability scanning methods are time-consuming and indeci...

Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners

The first step of every attack is reconnaissance, i.e., to acquire infor...

Machine Learning Containers are Bloated and Vulnerable

Today's software is bloated leading to significant resource wastage. Thi...

A Taxonomy for Contrasting Industrial Control Systems Asset Discovery Tools

Asset scanning and discovery is the first and foremost step for organiza...

Please sign up or login with your details

Forgot password? Click here to reset