At the Open Source Open Standards event in London this month, an interesting question originated from my session on securing applications. (I’ve uploaded my deck to SlideShare for reference.) In this presentation I explored how to understand whether a security vulnerability exists in a deployed artifact. This is relevant to my employer, Black Duck Software, but it’s an important question for anyone working to keep applications online in the face of “the bad guys.” Like many security people, I talked about “hackers” and some of their tactics. I also explored some methodologies people use to identify vulnerabilities, and why the timeline for remediation isn’t on your side.
Then things started to get really interesting. I included an infographic in my presentation (because we all love easy to consume stats) stating that 73% of survey respondents use container technologies in development and test environments. The infographic included no information about usage of containers in production. During my talk, I never mentioned production usage – partly in the interests of time. This omission prompted a question to a different speaker just two hours later.
Using Containers in Production
In a later session, Keith Lynch from Red Hat presented on containers and how they’re transforming data centers. If you’re curious about that presentation, his deck is also up on SlideShare. Shifting to containers in data centers is a serious, almost tsunami-like, trend in the world of IT. One of the key components is that it was a “DevTest” trend until very recently. As with previous waves of “data center transformations,” you always start small and grow with experience. After all, technology often has issues in early versions, important things like security and usability may be problematic, and the available pool of experts is small.
Then an attendee in Keith’s session asked an excellent question: “I was in the earlier security talk (mine) and the speaker said that containers are used mostly in DevTest. Why is it that when I talk with security vendors, they always speak about DevTest usage and when I speak to enterprise vendors like Red Hat and Oracle, containers are completely appropriate for production?” Keith’s answer was perfect, and essentially he said – “Production use of container technologies is very much a reality. What we need to understand is there is a separation between the pure use of containers, and the delivery of containerized applications. Production use requires there to be more than just Docker; things like Kubernetes, OpenShift and Red Hat Atomic all form part of a true enterprise platform for container deployments.”
Success for Containerization
Keith hit the nail on the head. Production success for containerization requires more than just a single component. It requires us to think carefully about our objectives for containers. Are we looking to re-architect everything following a micro-services pattern? Are we simply looking to provide an abstraction layer between a legacy user space component and an underlying Linux distribution? Is our goal to increase the efficiency of our development teams? Is it to become more responsive to bursty traffic patterns in our applications?
Creating a Resilient Platform
Arguably, these are all production usage scenarios, and a resilient platform is key to them. From my perspective a platform that incorporates security from the outset is crucial. The Red Hat OpenShift Container Platform is a perfect example of such a platform, and one that enables container security vulnerability scanning by default. It also integrates with Black Duck Hub as an open source vulnerability detection and management solution. Therefore, whether your containers originate from a curated and trusted source like Red Hat, your own unique code, or a combination, you’ll have the best vulnerability scan solution for production use – regardless of how you define “production.”
Learn more about how Black Duck is working with Red Hat.