Posts by: Diogo Mónica

Diogo Mónica

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator. Orchestrators are responsible for critical clustering and scheduling tasks, such as: Managing container scheduling and resource allocation. Support service discovery and hitless application deploys. Distribute the necessary resources that applications need to run. Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect…

Continue reading...
Diogo Mónica

Security is one of the most important topics in the container ecosystem right now, and over the past year, our team and the community have been hard at work adding new security-focused features and improvements to the Docker platform.

Continue reading...
Diogo Mónica

Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content. Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.

Continue reading...
Diogo Mónica

Image Signing and Verification using The Update Framework (TUF) A common request that we’ve heard from the Docker community is the need to have strong cryptographic guarantees over what code and what versions of software are being run in your infrastructure. This is an absolute necessity for secure and auditable production deployments. To answer these needs, we are excited to announce a new feature in 1.8 called Docker Content Trust which integrates The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

Continue reading...
Diogo Mónica

I wanted to follow up on our recent security blog post on May 5th introducing the CIS Benchmark and our Docker white paper. Having the documents is useful, however the ability to easily put these benchmarks into practice is equally important. To do that I built the Docker Bench for Security which automates validating a host’s configuration against the CIS Benchmark recommendations.  This is the first in many planned tools we aim to bring to the Docker user community in checking and improving the security of their deployments.     You can run the Docker Bench for Security as a…

Continue reading...
Diogo Mónica

Nathan McCauley and I have been working on a bunch of things since joining Docker. One area that we noticed is lacking is in the availability of information around Docker architecture and best practices in securely configuring and deploying Dockerized applications. This knowledge exists across the vast community of Docker users but we realized that we just haven’t gotten around to writing it down and sharing with everyone else.   As part of that process, Jérôme Petazzoni and I joined representatives from VMware, Rakuten, Cognitive Scale and International Securities Exchange to collaborate with the Center for Internet Security on a…

Continue reading...
Diogo Mónica

I’m thrilled to officially announce that Nathan McCauley and I are joining Docker to lead the Security Team. Back in 2011, Nathan and I were fortunate enough to join Square just as it was picking up steam. Square disrupted traditional point-of-sale systems by allowing anyone to take credit-card payments on their phone. And with great, disruptive ideas came new and interesting security engineering challenges. During our time at Square we built a wide range of different systems, from an general purpose cryptography infrastructure, a fully-fledged mutual-TLS micro-service architecture and a small end-to-end encrypted credit-card reader. All of these systems allow…

Continue reading...