With the rise of container orchestration platforms, we’ve seen IT operations teams deploying and running hundreds or even thousands of containers at any given time. This rapid deployment surfaces challenges in validating the contents and security of container images being deployed.
Last year we built a Docker scanning solution into our core product, Black Duck Hub, enabling developers building containerized applications to inventory open source and evaluate related risks prior to pushing them into production. At the rate of deployment today, however, we know that any solution that can only scan one image at a time simply won’t scale to this new reality. While we help developers address application and container security earlier in the SDLC, we also want to provide operations teams with a security solution that can scale with their deployments.
Introducing Black Duck OpsSight
Today, we are happy to announce the launch of our new product, Black Duck OpsSight, a solution that brings open source visibility and control to operations teams managing large scale container deployments. The first supported platform for OpsSight is the Red Hat OpenShift Container Platform. Black Duck OpsSight for OpenShift automatically scans every image in an OpenShift cluster to inventory open source components and associated security vulnerabilities or license compliance risks. By automating scans for all images as they are pushed into production and any time they are altered— and monitoring those images for newly reported vulnerabilities and annotating them with available metadata — OpsSight provides the first proactive and scalable security solution for container deployments in three ways:
- It automates scans for all images as they are pushed into production and any time they are altered.
- It annotates the images with metadata around open source use, allowing you to flag images that violate policies and prevent them from deploying to production.
- And it continuously monitors for newly reported open source security vulnerabilities, providing alerts so teams can find and fix vulnerabilities before hackers can exploit them.
A Proactive and Scalable Approach to Container Security
Some solutions in the market provide runtime security for containers, which is an important measure to take, but a reactive approach to security. These tools monitor running containers to determine whether any breaches have been attempted. OpsSight takes a proactive approach by finding vulnerabilities in the base image, allowing operations teams to fix problems before they even make it to production. When new vulnerabilities are reported, OpsSight alerts teams automatically if images in their registry are affected — so they can fix them before hackers attempt an exploit.
Other solutions scan single images, but that approach just isn’t scalable for modern deployments. Containers are lightweight and easy to configure, allowing IT organizations to deploy and run more applications faster and more reliably. Scanning a single image creates an unmanageable bottleneck in the deployment process. OpsSight scans every image, automatically, regardless of source.
Putting Security at the Center of DevOps
OpsSight is the next phase of Black Duck’s efforts to put open source security at the center of DevOps, by helping operations and infrastructure teams manage open source efficiently and at scale. The OpsSight solution for production environments complements the Black Duck Hub solution which enables open source security throughout the development toolchain, from IDEs to CI/CD tools to repositories. Together, they provide comprehensive open source security from Dev to Ops.
You can learn more about Black Duck OpsSight and container security at scale at www.blackducksoftware.com/products/opssight.