Docker Hub: Exposing the Hidden Cost of Data Breaches

Docker Hub: Exposing the Hidden Cost of Data Breaches

Big risks can come from small, sometimes unexpected places. When compared to all the other vendors you need to manage, you might not think of an image container for apps as a high priority — but the recent breach of Docker Hub shows otherwise.

What’s the big deal though, Docker Hub is just a place where developers put images, right? So what if it gets hacked?

Most organizations have a software DevOps team that uses repositories like Docker Hub or Veracode to store images. While images might initially seem innocuous, the Docker Hub breach exposes the simple truth that often it’s not the value of what is breached, but the scale of the reach.

Even though no financial or personal data was breached, the breach still exposed tens of thousands of logs, user tokens and hashed passwords. With the vast number of images stored in Docker Hub, that gives bad actors plenty of places to insert malicious code.

All this has a real business impact, beyond just what we typically associate with a breach.

As one commentator pointed out, it’s actually shocking how blindly most of the internet just pulls images from Docker Hub; as well as the degree to which accounts and projects are interconnected within Docker Hub. Tracking down exactly which assets were impacted will be an enormous task with serious implications for your organization. That’s because your DevOps team will now have to spend countless hours coming through image repositories and autobuilds, and looking for suspicious activity in their accounts and projects. They will also need to reset passwords, remove and replace all the images from compromised accounts and redo work that has already been done. Time spent doing that is time spent not doing the work that creates revenue for your business.

So many businesses rely on software development for essential business functions now that slowing down the dev pipeline is effectively slowing down the business, and has an impact on revenue generation that can be far reaching. Adding to the team’s woes is the fact that many DevOps teams may not always know exactly what their vendor inventory looks like, and since notifications are only sent to the account holder, so if a developer has been using a personal account or fails to notify the team, the lag from breach to remediation could potentially be fairly long -- if it’s even identified at all.

Breaches like Docker Hub expose a few issues that security teams need to address within their organization to prevent these kinds of headaches in the future.

  1. Vendor accounts need to be owned by the company and tied to an organizational email address. This allows organizations to keep positive control of accounts and be notified immediately when accounts are breached.
  2. Organizations need to keep a comprehensive inventory of their vendors. A recent study showed that 70% of organizations rely on third-party vendors... however 59% of cybersecurity breaches originate with third-parties, so keeping an up-to-date inventory of vendors and the systems they have access to is vital.
  3. A comprehensive third-party risk management program to understand the quantitative risk posed by third party vendors can help security teams prioritize their efforts. Risk is omni-present, but there are several factors that can help organizations understand where breaches may come from and what the implications are, which helps speed response times.