Ten year maintenance commitment on app images provides secure cloud software supply chain
November 24th 2020: Canonical has published the LTS Docker Image Portfolio, a curated set of secure container application images, on Docker Hub.
The LTS Docker Image Portfolio comes with up to ten years Extended Security Maintenance by Canonical. “LTS Images are built on trusted infrastructure, in a secure environment, with guarantees of stable security updates,” said Mark Lewis, VP Application Services at Canonical. “They offer a new level of container provenance and assurance to organisations making the shift to container based operations.”
Canonical and Docker will collaborate on Docker Official Images and LTS Docker Image Portfolio to bring the best of the two to the community and ecosystem. The entire LTS Docker Image Portfolio will be exempted from per-user rate limits.
Critical CVE fixes within 24 hours
The Snyk State of Open Source Security report for 2020 found that many popular container images have known security vulnerabilities. The only image in the study free of such concerns was the Ubuntu image, maintained by Canonical.
“Our track record underscores our commitment to security,” said Valentin Viennot, Product Manager at Canonical. “We address high and critical CVEs in LTS offerings, and fix critical issues within 24 hours.” The Snyk report finds the average time for enterprises to remediate homegrown images is 68 days.
Hardened free and commercial LTS images
Several images from the LTS Docker Image Portfolio will be freely available as Docker Official Image versions during the five year standard security maintenance period of the underlying Ubuntu LTS. The entire LTS Image Portfolio, including content exclusively available to Canonical customers, will be available through Docker Hub.
“Docker helps millions of developers simplify how they collaboratively build, share and run applications,” said Scott Johnston, CEO, Docker. “Docker Hub is the most popular registry on the planet because of the depth and breadth of content. It equally serves any developer running in any environment. Developers want and need a curated, maintained and secure set of content that Docker is continuously investing in. Today, we are taking that investment further with Canonical’s Ubuntu, one of the most popular verified images on Docker Hub, to create a more integrated, reliable and secure developer experience to accelerate app delivery for our community.”
“Guarantees of software supply chain security and integrity are vital to the fast-moving world of cloud-native operations,” said Mark Shuttleworth, CEO at Canonical. “As the platform provider for the vast majority of container runtimes, we are responsible for the underlying performance and security of multi-cloud container operations and are glad to extend that service to the application container layer.”
Many cloud applications with latest and LTS versions
The image portfolio includes fast-moving developer-oriented images which reflect current development. An example Redis image is at:
docker run -d ubuntu/redis:5.0-20.04_beta
Stable application version images with a stable Ubuntu LTS base and up to five years free standard security maintenance will shortly be freely available:
docker run -d lts/nginx:1.18-20.04_beta
Finally, customers of Canonical’s Ubuntu Pro gain access to ten year Extended Security Maintenance images through Docker Hub.
Integrated partnerships for scanning and fixing
The LTS Images complement scanning solutions which identify problematic container images in registries and in production.
“For too long, going cloud native has left enterprises exposed to security vulnerabilities – from sourcing patched images through awareness of vulnerabilities to the maintenance lifecycle,” said Jim Armstrong, Product Director at cloud-native application security leader Snyk. “The availability of the LTS Docker Image Portfolio, as well as the recently announced Docker security scanning powered by Snyk directly in Docker Hub, can drive a surge in Kubernetes adoption as companies embrace digital transformation while significantly reducing operating risk in the solution application life-cycle.”
Docker Hub is the world’s leading independent registry for finding and sharing container images with over 200 verified publishers, 160 Docker Official Images and more than 11 million active developers. It remains the world’s most popular and richest container registry with 13+ billion pulls per month from 7.9 million application repositories. Content sources include an active and vibrant community of developers, open source projects and independent software vendors (ISV) who overwhelmingly choose to build and distribute their code in containers using the Docker platform.
Canonical is the publisher of Ubuntu, the OS for most public cloud workloads as well as the emerging categories of smart gateways, self-driving cars and advanced robots. Canonical provides enterprise security, support and services to commercial users of Ubuntu. Established in 2004, Canonical is a privately held company.
Recent surveys found that many popular containers had known vulnerabilities. Container images provenance is critical for a secure software supply chain in production. Benefit from Canonical’s security expertise with the LTS Docker images portfolio, a curated set of application images, free of vulnerabilities, with a 24/7 commitment.