Containers in Production Environments

Containers in Production Environments

At the Open Source Open Standards event in London this month, an interesting question originated from my session on securing applications. (I’ve uploaded my deck to SlideShare for reference.) In this presentation I explored how to understand whether a security vulnerability exists in a deployed artifact. This is relevant to my employer, Black Duck Software, but it’s an important question for anyone working to keep applications online in the face of “the bad guys.” Like many security people, I talked about “hackers” and some of their tactics. I also explored some methodologies people use to identify vulnerabilities, and why the timeline for remediation isn’t on your side.

Then things started to get really interesting. I included an infographic in my presentation (because we all love easy to consume stats) stating that 73% of survey respondents use container technologies in development and test environments. The infographic included no information about usage of containers in production. During my talk, I never mentioned production usage – partly in the interests of time. This omission prompted a question to a different speaker just two hours later.

Using Containers in Production

In a later session, Keith Lynch from Red Hat presented on containers and how they’re transforming data centers. If you’re curious about that presentation, his deck is also up on SlideShare. Shifting to containers in data centers is a serious, almost tsunami-like, trend in the world of IT. One of the key components is that it was a “DevTest” trend until very recently. As with previous waves of “data center transformations,” you always start small and grow with experience. After all, technology often has issues in early versions, important things like security and usability may be problematic, and the available pool of experts is small.

Then an attendee in Keith’s session asked an excellent question: “I was in the earlier security talk (mine) and the speaker said that containers are used mostly in DevTest. Why is it that when I talk with security vendors, they always speak about DevTest usage and when I speak to enterprise vendors like Red Hat and Oracle, containers are completely appropriate for production?” Keith’s answer was perfect, and essentially he said – “Production use of container technologies is very much a reality. What we need to understand is there is a separation between the pure use of containers, and the delivery of containerized applications. Production use requires there to be more than just Docker; things like Kubernetes, OpenShift and Red Hat Atomic all form part of a true enterprise platform for container deployments.

Success for Containerization

Keith hit the nail on the head. Production success for containerization requires more than just a single component. It requires us to think carefully about our objectives for containers. Are we looking to re-architect everything following a micro-services pattern? Are we simply looking to provide an abstraction layer between a legacy user space component and an underlying Linux distribution? Is our goal to increase the efficiency of our development teams? Is it to become more responsive to bursty traffic patterns in our applications?

Creating a Resilient Platform

Arguably, these are all production usage scenarios, and a resilient platform is key to them. From my perspective a platform that incorporates security from the outset is crucial. The Red Hat OpenShift Container Platform is a perfect example of such a platform, and one that enables container security vulnerability scanning by default. It also integrates with Black Duck Hub as an open source vulnerability detection and management solution. Therefore, whether your containers originate from a curated and trusted source like Red Hat, your own unique code, or a combination,  you’ll have the best vulnerability scan solution for production use – regardless of how you define “production.”

Learn more about how Black Duck is working with Red Hat.


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


8 Takeaways from NIST’s Application Container Security Guide

| Dec 13, 2017

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery has

| MORE >

Should You Replace Apache Struts? Maybe. Or, Maybe Not.

| Sep 14, 2017

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution

| MORE >

RSA Singapore Review - The Perils of Security Hubris

| Aug 4, 2017

With RSA Singapore now in the books, it’s time to look back on the event and a core theme of experiential learning. The stage was set for this with IBM’s Diana Keely highlighting how today’s attacks are rather reminiscent of successful tactics from the past — a form of cyber groundhog day. She

| MORE >