Hackers will soon have a much harder time breaking into container clusters thanks to new security functionality Docker Inc. is introducing at its second annual European user conference this morning that promises to block off two key threat vectors. The first is its official third party software catalog, which curates operating system images, databases, and other application staples for easy access. None of the carefully-vetted entries in the gallery is particularly likely to contain malware, but there is always the risk of a bug or vulnerability accidentally slipping through.

The tens of thousands of developers that rely on the Docker Hub can thus unknowingly end up implementing compromised software in their projects with the potential to open a window for attacks. The new verification feature rolling out for the service promises to avoid such situations by periodically checking entries against the Department of Homeland Security’s continuously updated public vulnerability database and putting up a warning when a match is found. That kills two birds with one stone, deterring users against downloading unsafe software and thus giving vendors a strong incentive to issue a fix as soon as possible.

The addition should come particularly handy for organizations using Docker in production that have until now had to look out for new exploit warnings by themselves. The issue came on top of the already daunting task of securing the software produced internally, a challenge that the startup is also addressing at the conference with the introduction of support for Yubico Inc.’s namesake USB authentication drives. Developers are now able to use their company-issued Yubikeys to sign every new piece of code with a digital seal that be rechecked before it’s rolled out to production in order to ensure that it hasn’t been tampered with.

When implemented properly, that arrangement can make it immensely difficult to compromise an environment without physical access. But even if a hacker somehow gets their hands on a key and then manages to bypass all the other mechanisms guarding an organization’s Docker deployment, they’ll still have get past the third new security feature that is debuting at the conference: Support for the user namespaces in the Linux kernel, which make it possible to use advanced operating system functions inside a container without affecting the others running on the same server.

The functionality severely limits the potential damage that can be caused by a breach, bringing Docker much closer to the level of security offered by traditional hypervisors like VMware Inc.’s ESXI that simply include a dedicated OS image in every instance. At the end of the day, however, all of the containers on a given host still have to share the same kernel. As a result, there’s still much more work to be done until Docker becomes a viable alternative to conventional virtualization for everyday enterprises.

Image via Huskyherz