Dramatically Reduce the Time to Container Vulnerability Resolution

Dramatically Reduce the Time to Container Vulnerability Resolution

I'm excited to preview the results of our latest efforts to dramatically reduce the time from container vulnerability disclosure to resolution. Some of you may have read my blog post in January advocating Black Duck’s work with the Red Hat OpenShift Container Platform. The goal of that effort was simple — provide visibility into the open source risks associated with containers deployed in OpenShift. This simple requirement is of immense value to any organization deploying containerized applications in production. Putting this into perspective, ask yourself this question, “If a security vulnerability were disclosed an hour ago, how many of our containers would be impacted?”

Starting today, OpenShift administrators have a simple method to answer this question. Black Duck Hub integrates with OpenShift to automatically scan the images in your cluster and identify open source components and associated risks. After installing the integration, wait for the image scans to complete, then remedy any risks identified. Once you have remedied the risks, you can identify the impact of any changes in risk using native OpenShift commands.

Learn about the Red Hat OpenShift Container Platform Integration

For example, any images impacted by a risk policy defined within Hub can be readily identified using the following command:

oc describe images -l "com.blackducksoftware.image.has-policy-violations=true"

Identify Container Vulnerabilities

One of the policy items that can be defined in Hub relates to security vulnerabilities. Security disclosures in open source components were released at an average rate of almost a dozen per day in 2016. While these disclosures may cover well-recognized components, common open source development practices such as forking and embedding tend to increase the impact of the disclosures. Remediation of any disclosure starts with clearly identifying which container images include the vulnerable component. From this list of impacted images, application owners and deployed containers are readily identified. Armed with this knowledge, OpenShift administrators and application owners can move from disclosure through impact assessment to remediation in a matter of hours. Importantly, once an image is scanned by Black Duck Hub, there is no need for ongoing scanning and no requirement to modify the image.

If you would like early access to container image scanning power by Black Duck for OpenShift, please request entry in our Tech Preview.

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Top 4 DockerCon 2017 Sessions

| Apr 12, 2017

DockerCon 2017 is around the corner, starting in a few short days. Like most attendees, I like to look for the sessions that most impact my professional life. Lately that’s container security at production scale, and if you’ve dug into the topic in the past you’ll know it’s a bit messy! The

| MORE >

Vulnerability Information Sources: The Hacker News vs. NIST

| Mar 16, 2017

While that may be a catchy title, it’s also the question I've been asking attendees at SCALE and Container World over the past few weeks. More precisely, “Where would you rather get your security vulnerability information from?” Now I’m going to pause here and let that sink in for a minute. Think

| MORE >