I'm excited to share the work of my student @bhangu_kaur, co-supervised with Aiman Hanna @GinaCodySchool:

"An Analysis of Security Vulnerabilities in Container Images for Scientific Data Analysis"

https://arxiv.org/abs/2010.13970 

1/n
Containers are great tools to run data analyses on HPC clusters, but they contain a lot of software that might be exploited to attack systems. We certainly don't want our containers to be entry points for bitcoin miners or data thieves!

2/n
This pre-print looks at security vulnerabilities present in container images available in @BIDSstandard apps and @BoutiquesTools, using 4 different vulnerability scanners: @vuls_en @anchore, Clair @containerlinux and @SingularityApp tools.

3/n
We found an average of 460 vulnerabilities per image, including many of high severity and a few of critical severity. That's a lot of possible security breaches!

4/n
Good news though: about 2/3 of the vulnerabilities are removed by package update:

5/n
Removing unused packages is also quite useful. We used ReproZip to identify such packages, but it requires running actual analyses in the image. So not very convenient or scalable.
6/n
Surprisingly, different scanners report different vulnerability sets, with Jaccard coefficients as low as 0.6. This is due to different interpretations of vulnerability types and statuses. For instance, should we care about vulnerabilities in library headers?
7/n
One thing is for sure: images based on Alpine Linux contain less vulnerabilities than images based on CentOS, Debian or Ubuntu. This is simply because Alpine Linux comes with fewer packages than other distributions. Well done @alpinelinux!
8/n
A few recommendations to build more secure container images:
* Introduce software dependencies cautiously
* Use lightweight base images such as @alpinelinux
* Use OS releases with long-term support
* Run vulnerability scanners during continuous integration
9/n
Also, update images regularly... but wait, isn't it going to break reproducibility? Yes, it might (sigh). Follow @g_kiar's and @ASalar007's work for more updates on that front.
10/n
The amount of security vulnerabilities found in containers is worrying. As a community, we should make our analyses robust to software updates, and use the latest security fixes. Let's not panic though: good old password cracking is probably still more dangerous!
11/n
Congrats to @bhangu_kaur for putting that work together! And thanks to Aiman Hanna, for providing all the background on security, to @mathdugre, for helping out with the experiments, and to you, for reading this thread to the end!
12/12
You can follow @TristanGlatard.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more