Securing 3rd Party App Integration in Docker-based Cloud Software Ecosystems
Christian Binkowski, Stefan Appel, Andreas Aßmuth
TL;DR
The paper addresses securing 3rd party app integration in Docker-based cloud ecosystems by analyzing attack vectors such as DoS, container breakout, and ARP spoofing, and by detailing a security concept that leverages Docker's inherent protections plus an API Gateway architecture. It proposes TLS-based encrypted communication, certificate pinning, logging for forensics, and OAuth2 for authenticated service access, complemented by an outbound proxy to restrict internet access. A testing framework comprising static code analysis, dependency checks, and sandbox testing is proposed to vet 3rd party containers before deployment. The contribution provides a holistic lifecycle security approach that decouples services, enables controlled inter-container communication, and supports auditable security events, with practical impact for safer, scalable ecosystems of Docker-based applications.
Abstract
Open software ecosystems are beneficial for customers; they benefit from 3rd party services and applications, e.g. analysis of data using apps, developed and deployed by other companies or open-source communities. One significant advantage of this approach is that other customers may benefit from these newly developed applications as well. Especially software ecosystems utilizing container technologies are prone to certain risks. Docker, in particular, is more vulnerable to attacks than hypervisor based virtualisation as it directly operates on the host system. Docker is a popular representative of containerisation technology which offers a lightweight architecture in order to facilitate the set-up and creation of such software ecosystems. Popular Infrastructure as a Service cloud service providers, like Amazon Web Services or Microsoft Azure, jump on the containerisation bandwagon and provide interfaces for provisioning and managing containers. Companies can benefit from that change of technology and create software ecosystems more efficiently. In this paper, we present a new concept for significant security improvements for cloud-based software ecosystems using Docker for 3rd party app integration. Based on the security features of Docker we describe a secure integration of applications in the cloud environment securely. Our approach considers the whole software lifecycle and includes sandbox testing of potentially dangerous 3rd party apps before these became available to the customers.