Many software and cloud platforms rely on the use of containerization, a modern technique for deploying multiple software services quickly, securely, and efficiently on large-scale cloud computing resources such as Microsoft Azure and Amazon Web Services (AWS). Platforms such as DockerHub provide an online repository of over 100,000 ready-to-deploy containers that are widely used in many of today’s modern software platforms. While this is very convenient for development teams, many of these containers can have vulnerabilities that, if left unmanaged, can introduce vulnerabilities into the enterprise software stack. Recent security issues such as log4j vulnerability and the Orion solar winds These attacks highlight growing concerns about software supply chain security, dependencies created by development teams on third-party software, and the implications of identifying and subsequently remediating these vulnerabilities.
As part of our CSC3 research, Alan Mills, Jonathan White And Phil Legg, have developed a suite of Docker security visualization and remediation tools: OGMA and BORVO. The suite of tools allows developers and security teams to quickly identify vulnerabilities against various container security scanning platforms. Results from existing analysis tools can often differ or conflict. Our overall approach therefore helps provide a unified analysis for resolving conflicts and provides a visual means for in-depth review of results. Our approach also provides a more intuitive risk assessment that considers the true impact of vulnerabilities, such as how easily the vulnerability could actually be exploited by external or internal actors. Additionally, the suite also provides developers with an informed assessment on how to resolve security issues while preserving intended container-dependent software functionality.
Our research paper “OGMA: Visualization for Software Container Security Analysis and Automated Remediation” has been peer-reviewed and accepted for IEEE Cybersecurity and Resilience Conference where the work will be presented and published at the end of July. We will also share our ideas in our related presentation on “Securing the Supply Chain – Practicality vs. Paranoia” at the upcoming conference. BSides Cheltenham conference this weekend, which is a community-organized event for the regional cybersecurity industry and enthusiasts, and follows our software supply chain security lightning conference given at CYBERUK 2022 earlier this year. Both OGMA and BORVO are released as open source applications that we have made available to the broader research community, to facilitate the investigation and remediation of software vulnerabilities in containerized applications. For more details, including how to download and use the tools, please visit our GitHub page.