TY - GEN
T1 - Why Johnny Can’t Use Secure Docker Images
T2 - 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
AU - Kim, Taeyoung
AU - Park, Seonhye
AU - Kim, Hyoungshick
N1 - Publisher Copyright:
© 2023 Copyright held by the owner/author(s).
PY - 2023/10/16
Y1 - 2023/10/16
N2 - This paper explores the usability of Docker Image Vulnerability Scanners (DIVSes) through heuristic evaluations. Docker simplifies the process of software development, distribution, deployment, and execution by providing a container-based execution environment. However, vulnerabilities in Docker images can pose security risks to containers. To mitigate this, DIVSes are crucial in helping developers identify and address these vulnerabilities in the software packages and libraries within Docker images. Despite their importance, research on the usability of DIVSes has been limited. To address this gap, we developed 11 customized heuristics and applied them to three widely-used DIVSes (Grype, Trivy, and Snyk). Our evaluations revealed 239 usability issues within the tools evaluated. Our findings highlight that the evaluated DIVSes do not provide sufficient information to comprehend the risks associated with identified vulnerabilities, prioritize them, or effectively fix them. Our study offers valuable insights and practical recommendations for enhancing the usability of DIVSes, making it easier for developers to identify and address vulnerabilities in Docker images.
AB - This paper explores the usability of Docker Image Vulnerability Scanners (DIVSes) through heuristic evaluations. Docker simplifies the process of software development, distribution, deployment, and execution by providing a container-based execution environment. However, vulnerabilities in Docker images can pose security risks to containers. To mitigate this, DIVSes are crucial in helping developers identify and address these vulnerabilities in the software packages and libraries within Docker images. Despite their importance, research on the usability of DIVSes has been limited. To address this gap, we developed 11 customized heuristics and applied them to three widely-used DIVSes (Grype, Trivy, and Snyk). Our evaluations revealed 239 usability issues within the tools evaluated. Our findings highlight that the evaluated DIVSes do not provide sufficient information to comprehend the risks associated with identified vulnerabilities, prioritize them, or effectively fix them. Our study offers valuable insights and practical recommendations for enhancing the usability of DIVSes, making it easier for developers to identify and address vulnerabilities in Docker images.
KW - Container Images
KW - Heuristic Evaluation
KW - Vulnerability Scanners
UR - https://www.scopus.com/pages/publications/85175720682
U2 - 10.1145/3607199.3607244
DO - 10.1145/3607199.3607244
M3 - Conference contribution
AN - SCOPUS:85175720682
T3 - ACM International Conference Proceeding Series
SP - 669
EP - 685
BT - Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
PB - Association for Computing Machinery
Y2 - 16 October 2023 through 18 October 2023
ER -