Posted by Derek Handova on February 27, 2019
Open source is eating software, but Red Hat and Synopsys help you build and deploy containers more securely and at scale.
Netscape founder Marc Andreessen once proclaimed that software is eating the world. He meant that companies whose main business is not software are nevertheless heavily reliant on software development to support their primary line of business.
Today, you could say that open source is eating software, with many applications comprising up to 90% open source code. But do you have an accurate inventory of the open source components you use, where they all came from, and how secure they are? More importantly, do you have a reliable way to ensure vulnerable components don’t make it into your production applications? To safely answer these questions, Red Hat and Synopsys have been collaborating.
Specifically, with the Synopsys Polaris Software Integrity Platform™, teams using the Red Hat OpenShift Container Platform can analyze container security holistically by combining open source vulnerability detection from Black Duck software composition analysis (SCA) with Coverity static analysis (SAST) in one unified solution.
With Polaris unified reporting, security alerts from a Black Duck container scan will be displayed alongside other analysis results. Black Duck automatically identifies open source components—regardless of source—in container images deployed in a Red Hat OpenShift environment.
“Black Duck is a great solution for scanning Red Hat OpenShift container images automatically for open source security issues that customers can see within Polaris along with data from their other Synopsys tools,” says Chris Morgan, director, Cloud Platforms technical marketing, Red Hat.
In addition to Black Duck container scanning reports that are pulled into Polaris, the platform will directly show the results of Coverity SAST scans in the user interface.
“Synopsys is proud to collaborate with Red Hat in our mission to enable customers to bring open source risk management to their containerized production environments,” says Vatsal Sonecha, Synopsys VP Business Development for the Software Integrity Group. “Synopsys and Red Hat share a similar vision for the future of application deployment and, together, we look forward to helping organizations overcome the challenges of containerized applications.”
The Black Duck connector for Red Hat OpenShift Container Platform provides proactive monitoring of container images in an OpenShift cluster to give teams visibility into—and more control over—risks associated with open source components in those images. Black Duck works with Red Hat OpenShift Container Platform so operations and infrastructure teams can manage open source security risk more efficiently and at scale.
In addition to scanning for open source vulnerabilities, Black Duck helps teams understand the license terms and potential conflicts of the open source they use, as well as potential maintenance and code quality issues. This analysis covers not only the application code itself but also Linux operating system and other components typically included when the application is packaged in a container. You can regularly see if the vulnerabilities have already been patched from the Red Hat OpenShift errata vulnerability patching feed.
Under Red Hat’s OpenShift implementation of Kubernetes, its integration with Black Duck enables continuous monitoring, which finds new vulnerabilities and alerts customers about them—even vulnerabilities reported after a container image is scanned and in production. This helps teams minimize their security risk when new vulnerabilities become public. Alerted through the Black Duck integration, Red Hat can then fix those vulnerabilities and port an updated version to the OpenShift environment.
For more information, see the Red Hat and Synopsys partner page.
Get the latest AppSec news and trends sent directly to you.