Dramatically Reduce the Time to Container Vulnerability Resolution

Dramatically Reduce the Time to Container Vulnerability Resolution

I'm excited to preview the results of our latest efforts to dramatically reduce the time from container vulnerability disclosure to resolution. Some of you may have read my blog post in January advocating Black Duck’s work with the Red Hat OpenShift Container Platform. The goal of that effort was simple — provide visibility into the open source risks associated with containers deployed in OpenShift. This simple requirement is of immense value to any organization deploying containerized applications in production. Putting this into perspective, ask yourself this question, “If a security vulnerability were disclosed an hour ago, how many of our containers would be impacted?”

Starting today, OpenShift administrators have a simple method to answer this question. Black Duck Hub integrates with OpenShift to automatically scan the images in your cluster and identify open source components and associated risks. After installing the integration, wait for the image scans to complete, then remedy any risks identified. Once you have remedied the risks, you can identify the impact of any changes in risk using native OpenShift commands.

Learn about the Red Hat OpenShift Container Platform Integration

For example, any images impacted by a risk policy defined within Hub can be readily identified using the following command:

oc describe images -l "com.blackducksoftware.image.has-policy-violations=true"

Identify Container Vulnerabilities

One of the policy items that can be defined in Hub relates to security vulnerabilities. Security disclosures in open source components were released at an average rate of almost a dozen per day in 2016. While these disclosures may cover well-recognized components, common open source development practices such as forking and embedding tend to increase the impact of the disclosures. Remediation of any disclosure starts with clearly identifying which container images include the vulnerable component. From this list of impacted images, application owners and deployed containers are readily identified. Armed with this knowledge, OpenShift administrators and application owners can move from disclosure through impact assessment to remediation in a matter of hours. Importantly, once an image is scanned by Black Duck Hub, there is no need for ongoing scanning and no requirement to modify the image.

If you would like early access to container image scanning power by Black Duck for OpenShift, please request entry in our Tech Preview.


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Should You Replace Apache Struts? Maybe. Or, Maybe Not.

| Sep 14, 2017

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution

| MORE >

RSA Singapore Review - The Perils of Security Hubris

| Aug 4, 2017

With RSA Singapore now in the books, it’s time to look back on the event and a core theme of experiential learning. The stage was set for this with IBM’s Diana Keely highlighting how today’s attacks are rather reminiscent of successful tactics from the past — a form of cyber groundhog day. She

| MORE >

A Voracious Appetite for Open Source Software Worldwide

| Jun 15, 2017

At Black Duck Software, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them

| MORE >