Container technologies frequently leverage libraries of shared code, built on open source tools and platforms. The problem is that once those container images are created there isn’t anyone specifically designated with the responsibility to patch new vulnerabilities as they’re found, so a container image could be filled with security holes that expose you to unnecessary risk.
Red Hat and Black Duck teamed up to offer a container security solution to check those images and make sure they’re safe:
As a security professional it’s frustrating that security is always an afterthought. Innovative tools and techniques emerge and gain momentum until they become virtually ubiquitous—and then someone eventually stops and says, “Wait. We should probably make this secure, too, right?” Container technologies have reached that “Oh, wait” stage in 2015 and suddenly security seems to be one of the primary considerations for organizations that have already embraced containers or are looking to do so.
One of the strengths of containers is also one of its greatest potential weaknesses. Many containers technologies are designed around open source tools and platforms—software that can be changed or updated by almost anyone, but also may not be actively maintained by anyone at the same time. Docker and other container platforms also make extensive use of shared libraries—pre-built containers designed for specific tasks.
A survey conducted by Red Hat found that 60 percent of respondents are concerned about container security and certification. Apparently, those concerns are valid as well, because a study in May of 2015 from BanyanOps discovered that more than 30 percent of the official container images shared in the Docker Hub contain high-priority security vulnerabilities.
In order to adopt containers securely and with confidence, organizations need a combination of container inspection, certification, and policy and trust. These are the elements Red Hat hopes to deliver for customers.
Red Hat recently teamed up with Black Duck to give enterprise customers some peace of mind when it comes to container security. The collaboration between the two establishes a secure model for containerized application delivery by verifying that containers include only certified content that is free from known vulnerabilities.
“Container technology is another breakthrough in the constant drive to increase development agility and get products to market more quickly. Speed and agility are key drivers for container adoption in the enterprise, but not at the expense of security,” explained Lou Shipley, CEO, Black Duck. “The Black Duck-Red Hat collaboration is rooted in the collective value that we deliver from an open source perspective, by helping to make containers safe for enterprise use.”
Open source software and component libraries are both valuable for effective and efficient software development, but pose problems when vulnerabilities exist. Red Hat is integrating Black Duck’s container scanning and open source vulnerability mapping tools with its OpenShift Platform-as-a-Service (PaaS) solution. Black Duck’s KnowledgeBase includes information on 1.1 million open source projects and detailed data on more than 100,000 known open source vulnerabilities.
Check out the full article on ContainerJournal: Red Hat and Black Duck team up to deliver a more secure container platform.