Highlights
- 3 months to certification: Achieved PCI compliance in under 3 months with Docker Scout.
- 99% developer adoption: Nearly all developers swiftly integrated Docker Scout into their workflows.
- 30-day patch compliance: Ensured all critical vulnerabilities were patched within the 30-day PCI-DSS requirement.
“Docker Scout helps us ensure that our payments and user data are fully secured.” — Milen Dobrev, Senior Engineering Manager
Introduction
Distilled, a prominent Irish company, manages four major online marketplaces: Daft.ie, DoneDeal.ie, Adverts.ie, and Gumtree.ie. With a long-standing market presence, particularly with Daft.ie, which has led the market for over 20 years, Distilled is a key player in Ireland’s online marketplace sector.
Driven by the need for PCI compliance for its payment processing systems, Distilled identified critical requirements. They needed a robust solution to continuously monitor and address vulnerabilities in their Docker images and ensure stringent security measures were maintained. Distilled chose Docker Scout, which led to an operational shift to secure development and help meet compliance requirements.
Challenges
Navigating stringent compliance demands
Distilled faced an important challenge in meeting the stringent requirements of PCI-DSS 4.0 compliance for its payment processing systems. According to PCI-DSS 4.0, all system components must be protected from known vulnerabilities by installing applicable security patches/updates within one month of release. This rigorous standard demands continuous and thorough security measures.
The initial security setup at Distilled, which utilized a basic Docker security scanner, did not fully meet these requirements. The core issue was that the existing tool only scanned Docker images at the point of being pushed, which meant that vulnerabilities in infrequently updated images could go unnoticed and unpatched. This approach posed a significant risk, especially for Docker images that hosted both frontend and backend applications handling sensitive payment information.
There was no real-time awareness of new vulnerabilities due to the lack of continuous monitoring, exposing the system to emerging threats. “One of the requirements for PCI-DSS assessment is to ensure that any critical and high severity vulnerabilities are patched within 30 days of a patch being released,” says Milen Dobrev, Senior Engineering Manager.
Distilled needed a more comprehensive solution that could provide continuous security oversight and ensure compliance with PCI-DSS requirements, thereby safeguarding their payment processing systems and maintaining their market reputation.
Solution
Leveraging Docker Scout for continuous vulnerability analysis
Distilled chose Docker Scout for its continuous vulnerability analysis capabilities to address the critical need for ongoing security monitoring. Docker Scout provided actionable insights into vulnerabilities within Docker images, making it an ideal choice for maintaining PCI compliance.
The onboarding process was swift and efficient. Distilled required only five essential Docker images to be onboarded, which Docker Scout managed smoothly. Integration with existing workflows, especially for the PCI patching team, was smooth, ensuring that there was no significant impact on operations.
Developers on the PCI patching team adapted to Docker Scout with ease. The tool’s straightforward interface and focused features facilitated a smooth transition. Docker Scout’s user-friendly design allowed developers to quickly understand and utilize its capabilities without extensive training or adaptation periods.
Key benefits
Continuous security monitoring
Docker Scout provides continuous vulnerability analysis, ensuring that vulnerabilities are identified and addressed promptly.
Simplified PCI compliance
Helps maintain PCI compliance by ensuring critical and high-severity vulnerabilities are patched within the required 30-day window.
Detailed vulnerability insights
Provides actionable insights by allowing users to drill down into image layers to identify specific vulnerabilities and their publication dates.
Effective policy management
Policies feature helps manage and prioritize vulnerabilities according to organizational needs, although improvements are needed.
Developer experience
Developers find Docker Scout easy to use, with a clear interface and focused features, making it less disruptive to their workflows.
Timely notifications
Real-time notifications help keep the team informed about new vulnerabilities, aiding in prompt resolution and compliance maintenance.
Results and outcomes
Securing compliance and enhancing efficiency
Implementing Docker Scout proved to be a pivotal decision for Distilled, significantly contributing to their successful PCI compliance certification. Docker Scout’s continuous monitoring and real-time notifications ensured that all critical and high-severity vulnerabilities were promptly addressed, aligning perfectly with PCI-DSS requirements.
Distilled not only achieved PCI compliance but also established a robust framework for ongoing compliance maintenance. Regular reviews of Docker Scout reports became an integral part of their security protocol, enabling the team to address new vulnerabilities promptly. “We needed something that would continuously scan and notify us if there was something we had to address, which Docker Scout has been doing well,” says Dobrev. This continuous vigilance has allowed Distilled to maintain its compliance status seamlessly.
Efficiency and satisfaction levels within the PCI patching team soared with the adoption of Docker Scout. The quick initial analysis of new images, coupled with the detailed insights into vulnerabilities, streamlined their workflow. Features such as policies and notifications further enhanced the team’s ability to stay on top of vulnerabilities, fostering a proactive security stance. “The discovery feature, where you can see exactly where a vulnerability is in the image layers, is the most valuable,” says Dobrev.
The integration of Docker Scout also brought about a marked improvement in the overall developer experience. Developers found the platform easy to use and appreciated its clear interface and focused features. “Once you get up to speed, it’s easy to understand and use,” Dobrev says. This ease of use minimized disruptions to their workflow and allowed them to concentrate on core development tasks while maintaining stringent security standards.
Docker Scout not only empowered Distilled to achieve and uphold PCI compliance but also enhanced their operational efficiency and security posture. The successful integration and ongoing use of Docker Scout underscore its value as a trusted tool in Distilled’s security toolset.
Conclusion
Sustaining compliance and security with Docker Scout
Distilled’s journey toward PCI compliance was significantly bolstered by the adoption of Docker Scout. The continuous and detailed vulnerability insights provided by Docker Scout were instrumental in securing their PCI certification. Moving forward, Distilled plans to continue leveraging Docker Scout to maintain its compliance status, ensuring that its payment processing systems remain secure and up to date.
The seamless integration of Docker Scout into existing workflows has not only enhanced security measures but also improved overall efficiency. Distilled envisions further integration of Docker Scout into their broader CI/CD workflows, aiming to streamline processes and reinforce their commitment to security. As they look to the future, Distilled remains confident in Docker Scout’s ability to support their ongoing compliance and security needs, positioning them well for continued success in the dynamic online marketplace industry.
Learn more
- Subscribe to the Docker Newsletter.
- Get the latest release of Docker Desktop.
- Vote on what’s next! Check out our public roadmap.
- Have questions? The Docker community is here to help.
- New to Docker? Get started.