Regularly updating software components can eliminate two-thirds of the vulnerabilities found in container images, while minimizing the number of libraries can also reduce the attack surface area in some cases, according to research by a team at Concordia University in Montreal.
The research, which focused on containerized applications used in high-performance computing (HPC) environments for neuroimage processing, analyzed 44 container images using vulnerability scanners and found that the average container image had more than 320 vulnerabilities. Containers based on lightweight Linux distributions, such as Alpine Linux, had far fewer vulnerabilities, suggesting that minimizing the volume of code can also reduce the number of vulnerabilities, the research team said in a paper posted online last week.
While the researchers focused on containerized applications of analyzing images of the brain, the issue with vulnerabilities is not particular to that discipline or data science packages, says Tristan Glatard, associate professor in the department of computer science and software engineering at Concordia University.
"The problem is general — it's not specific to a particular data analysis software or OS distribution," says Glatard. "There is no particularly bad guy. ... We didn't find any particular origin of vulnerabilities."
The research highlights that updating the packages included in images is a proven way for users of Docker and Singularity containers to reduce the number of vulnerabilities in the software. Last year, for example, one survey of Docker images found that 60% had at least one moderate vulnerability, while 20% had at least one high-risk vulnerability. Unfortunately, data scientists, like enterprise IT workers, are often leery that updates may break critical software.
The researchers, however, urged other scientists and da ..
Support the originator by clicking the read the rest link below.
