Jenny Fong

A Secure Supply Chain for Kubernetes, Part 2

Two weeks ago we shared how the upcoming release of Docker Enterprise Edition (Docker EE) is able to secure the software supply chain for Kubernetes; just as it does for Docker Swarm through a combination of scanning for vulnerabilities and implementing image promotion policies. In this blog, we’ll take a closer look at another part of this solution – Docker Content Trust and image signing. When combined with granular Role Based Access Controls [RBAC] and the secure clustering features of Docker EE, organizations get a secure container platform solution that is ready for the enterprise. Restricting Unverified Kubernetes Content As discussed in Part 1 of this blog post, organizations typically have a “supply chain” for how applications progress from a developer’s laptop to production, whether that is on-premises or in the cloud. For larger organizations, the team that handles QA and testing is not always Continue reading…

David Lawrence

Introducing Image Signing Policy in Docker Datacenter

My colleague Ying Li and I recently blogged about Securing the Software Supply Chain and drew the analogy between traditional physical supply chains and the creation, building, and deployment involved in a software supply chain. We believe that a software pipeline that can be verified at every stage is an important step in raising the security bar for all software, and we didn’t stop at simply presenting the idea. Integrated Content Trust and Image Signing Policy In the recent release of Docker Datacenter,  we announced a new feature that starts to brings these security capabilities together along the software supply chain. Built on Notary, a signing infrastructure based on The Update Framework (TUF), along with Docker Content Trust (DCT), an integration of the Notary toolchain into the Docker client, DDC now allows administrators to set up signing policies that prevent untrusted content Continue reading…

Nathan McCauley

Security through Community: Introducing the Vendor Security Alliance

Today Docker is proud to announce that we are founding member of the Vendor Security Alliance (VSA), a coalition formed to help organizations streamline their vendor evaluation processes by establishing a standardized questionnaire for appraising a vendor’s security and compliance practices.The VSA was established to solve a fundamental problem: how can IT teams conform to its existing security practices when procuring and deploying third-party components and platforms? The VSA solves this problem by developing a required set of security questions that will allow vendors to demonstrate to their prospective customers that they are doing a good job with security and data handling. Good security is built on great technology paired with processes and policies. Until today, there was no consistent way to discern if all these things were in place. Doing a proper security evaluation today tends to be a hard, manual Continue reading…

Docker Security Team

Securing the Enterprise Software Supply Chain Using Docker

At Docker we have spent a lot of time discussing runtime security and isolation as a core part of the container architecture. However that is just one aspect of the total software pipeline. Instead of a one time flag or setting, we need to approach security as something that occurs at every stage of the application lifecycle. Organizations must apply security as a core part of the software supply chain where people, code and infrastructure are constantly moving, changing and interacting with each other. If you consider a physical product like a phone, it’s not enough to think about the security of the end product. Beyond the decision of what kind of theft resistant packaging to use, you might want to know  where the materials are sourced from and how they are assembled, packaged, transported. Additionally it is important to ensure Continue reading…

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.

Banjot Chanana

DockerCon EU 2015: Docker Trusted Registry 1.4 with Integrated Content Trust and Universal Control Plane

What an exciting Second Day! Just when you thought you couldn’t get enough of Docker, Docker, Docker…we’ve added more! In today’s keynote, we talked about some amazing products – from Project Nautilus, the new image scanning and vulnerability detection service for Official Repos on Docker Hub, to the upgrades to Docker Hub Auto Build service to how to use these together with Tutum for an end-to-end Containers as a Service platform, all available in the cloud today. And for those that need on-premise control of their own destiny we have a new release of Docker Trusted Registry that integrates Docker Content Trust, for image signing, integrity and authenticity.

Diogo Mónica

Docker Content Trust Gets Hardware Signing

Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content. Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.

Victor Coisne

Recap: Docker 1.8 Online Meetup Series

Missed our three-part series of Docker Online Meetups on the Docker 1.8 release? Don’t worry! We recorded each session and posted the videos for you to watch. Our series of Docker Online Meetups on the Docker 1.8 release started with Core Maintainer David Calavera presenting an overview of the new features and upgrades available in this release. Sr. Software Engineer David Lawrence then provided a comprehensive look at Docker Content Trust, the system powering image signing.

Diogo Mónica

Introducing Docker Content Trust

Image Signing and Verification using The Update Framework (TUF) A common request that we’ve heard from the Docker community is the need to have strong cryptographic guarantees over what code and what versions of software are being run in your infrastructure. This is an absolute necessity for secure and auditable production deployments. To answer these needs, we are excited to announce a new feature in 1.8 called Docker Content Trust which integrates The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.