One of the most challenging aspects of container security is finding open source software vulnerabilities. A Gartner study showed that 95% of all mission-critical applications contain open source components, but Black Duck found that 98% of companies are using open source they don’t know about. Additionally, Black Duck’s Open Source Security Analysis Report found that 67% of applications reviewed contained known open source security vulnerabilities. Clearly there is a disconnect—people see value in open source, but they haven’t mastered the identification and remediation of security threats.
It’s time to gain visibility into your containers and take action.
The Explosion of Containers
The explosion of containerized application software motivated many companies to provide simple insights, but most solutions don’t get the job done. Until now, it was challenging to scan containers for open source security threats. But with the new container scanning features of the Black Duck Hub, organizations can easily identify and assess them for everything from application components to patched versions of the underlying operating system. In addition, they can continuously monitor containers for new security threats.
Black Duck and Red Hat have partnered to deliver infrastructure for secure and trusted containers. Black Duck Hub can secure containers whether they’re running Red Hat Enterprise Linux, Red Hat Atomic Host, or OpenShift by Red Hat. These systems provide a robust infrastructure to rapidly deploy and scale containerized applications and services. By installing the Black Duck Hub, you can pull a Docker image from a repository and scan the image (or running container).
A Black Duck scan provides an inventoried report of the open source components found inside that image, including any components that violate corporate policy. Note that our inventory includes not just operating tools like RPM, but also application layer components like Apache Tomcat. We also have a mapping of open source components down to the patch level to known security vulnerabilities. Black Duck Hub also continuously monitors for new security threats, in case new vulnerability reports match for the open source components inside your container.
Integration with Atomic Host
Our VP of Engineering Randy Kilmon and Sr. Software Engineer Ton Schoots elaborated on the Black Duck Hub’s integration with Atomic Host, which aims to understand the provenance of open source components as they appear in Docker Containers. The Black Duck Hub uses hard detection methods to build this inventory of open source components. We’re comparing what we call “Code Prints” of the code in binaries that we scan against the Black Duck Knowledge Base – the most comprehensive database on open source projects and vulnerabilities.
Rather than just looking at and trusting things like the package manager information. Ton Schoots stated, “that’s the biggest danger you have, because if people really want to hack your system, they’re smart and they know how to fool a package manager. That’s the easiest way to fool the system.” Randy Kilmon agreed, and added “not only can we scan and secure Docker containers, but we can secure containers across all environments as well.”