Is Security Worth the Cost of a Subscription? Yes, Docker Argues

Docker today announced a fundamental change to its subscription model, rolling the use of its primary utility for managing Docker services on the desktop into its subscription — a strategy it says is necessary to help fund efforts to improve security and manageability.

Starting February 1, 2022, companies will have to have a valid per-user subscription to run Docker Desktop, a change that will likely force many companies that are using Docker Desktop — but not necessarily Docker Hub — to pay fees. Docker plans to use much of the revenue generated to create a more trusted ecosystem of Docker images and add more security tools for application developers. 

In addition, business-specific features, such as more stringent management of the containers and repositories that developers can use, will be implemented, according to chief technology officer Justin Cormack.

"Our conversations with customers have shown that, from their point of view, security is probably the most important piece missing at the moment," says Cormack. "We see customers really having to think about their supply chain. It is a huge area, and there are quite a lot of pieces that cross what we do."

As of today, Docker will change the license terms for Docker Desktop, its primary program for making use of images and containers on Windows and Mac. Open source projects, individual developers, the education industry, and small businesses will all be able to use Docker Desktop for free under the lowest tier — renamed "Personal" instead of "Free" — but the company will require that any company with more than 250 employees or more than $10 million in revenue buy into its paid tiers.

Possible Blowback?
The move, which brings the use of Docker Desktop into the company's subscription model, will likely garner criticism. Yet the company is casting the change as a way to generate revenue that it will reinvest in its current challenges — chief among them, security.

"The developer laptop is a key part of the supply chain, and it is a place where we want things to shift left," Cormack says. "Companies want a desktop control plane so they can understand what developers are doing and tools to help put controls in place."

Docker images and containers have become a significant part of the software-development supply chain, allowing developers to exchange environments, configurations, and infrastructure settings as code. Yet attackers are also increasingly using the technologies, often to attempt to slip rogue containers into corporate infrastructure to enable cryptomining or some other malicious activity.

A major problem is that many developers create a Docker image and then fail to update the components that make up an image — expressed in a so-called "Dockerfile" — leaving any containers built from the image vulnerable to exploitation. In January, an analysis of 4 million images available from the Docker Hub, for example, found that 51% of the images had at least one critical vulnerability.

The issues will become even more of a problem as the number of developers using Docker grows. In February, Docker stated that 7.3 million individual accounts were being used, up 45% year over year. Meanwhile, Docker Desktop usage also grew, reaching 3.3 million for an increase of 38%.

Given its popularity, Docker has focused increasingly on security and offering tools to developers to better detect vulnerable components. The company added vulnerability analysis through a partnership with security-scanning firm Snyk, but acknowledges that the output — a long list of vulnerabilities with little guidance — should be improved.

"We are really trying to double down on the usability of the security features," Carmack says. "It is not as helpful as it should be sometimes."

Verified by Docker
Earlier this summer, the company launched its Docker Verified Publisher program, giving software projects and companies the ability to have official images on the Docker Hub as long as they verify their identity and comply with certain rules. Many of the details of the program, such as the security enforcement of images hosted on Docker Hub, are still a work in progress, Carmack acknowledged.

"We are not doing a lot of verification yet, but it is on the road map," Carmack says. "The whole kind of maturity of tools in the space for this is pretty, well, bad, but we are working on standards with Amazon and Microsoft and others, and that is pretty heavily driven by publisher verification."

Come February, companies will have to decide whether the work and the improvements are worth the cost of a subscription. Docker argues that it is.