Posted by Charlie Klein on February 5, 2019
With containers, we’ve changed the way we deploy applications. Now it’s time to change the way we secure them, with container scanning tools for open source.
Containers, which speed time to market and enable continuous delivery, represent a dramatic shift in the way we package and deliver applications. Such a significant change in how we deploy applications requires an equally significant change in how we secure them.
Modern container images typically contain many open source components. These include the base image, dependencies, frameworks, and other helpful open source projects. But open source components can carry a great deal of risk. Some even have software vulnerabilities that could expose sensitive customer data or internal data.
Development, security, and IT operations teams often don’t know of the risks of using open source. So they might use the same application security tools they’ve always used. But because container deployment is rapid and continuous, many of these traditional tools—such as penetration testing—cannot keep up. In short, organizations that use containers need a new approach to application security.
If our annual OSSRA report is any indication, organizations are having trouble keeping track of the open source they’re using. So they can’t be sure whether it contains vulnerabilities. However, tracking these open source components can be nearly impossible considering the scale of many container deployments. And if you don’t know what components you use, you can’t understand the associated security risks.
You can gain visibility into open source risks in container clusters with a container scanning tool, such as Black Duck OpsSight. Black Duck OpsSight scans container images for open source components and alerts users of software vulnerabilities in those components. This helps IT and security teams understand and monitor their open source vulnerabilities at scale.
What Black Duck OpsSight does:
More organizations are adopting containers to quickly and continuously deliver applications. So container technologies are growing more diverse. Some organizations have chosen lightweight alternatives to the Docker runtime, such as CRI-O. And many are updating to Kubernetes 1.13 to manage their cluster life cycle with kubeadm.
So we’re excited to announce that Black Duck OpsSight 2.2 extends support to CRI-O environments and Kubernetes 1.13. Now those using the newest runtimes and orchestrators can effectively manage open source security risks in their clusters at scale.
In addition to Kubernetes 1.9.1–1.13, Black Duck OpsSight also supports Red Hat OpenShift 3.6–3.10, AWS Elastic Kubernetes Service, and Google Kubernetes Engine.
Finally, overburdened IT operations teams cannot afford to waste time configuring security solutions to meet scaling requirements. Black Duck OpsSight 2.2 uses the Synopsys Operator, based on the Kubernetes Operator Framework. This technology simplifies OpsSight deployment and management. It also enables better coordination between OpsSight and the Black Duck server and improves the fault tolerance of the entire solution.
Get the latest Software Integrity news, thought leadership, and more.