As a security professional it’s frustrating that security is always an afterthought. Innovative tools and techniques emerge and gain momentum until they become virtually ubiquitous—and then someone eventually stops and says, “Wait. We should probably make this secure, too, right?” Container technologies have reached that “Oh, wait” stage in 2015 and suddenly security seems to be one of the primary considerations for organizations that have already embraced containers or are looking to do so.
One of the strengths of containers is also one of its greatest potential weaknesses. Many containers technologies are designed around open source tools and platforms—software that can be changed or updated by almost anyone, but also may not be actively maintained by anyone at the same time. Docker and other container platforms also make extensive use of shared libraries—pre-built containers designed for specific tasks.
A survey conducted by Red Hat found that 60 percent of respondents are concerned about container security and certification. Apparently, those concerns are valid as well, because a study in May of 2015 from BanyanOps discovered that more than 30 percent of the official container images shared in the Docker Hub contain high-priority security vulnerabilities.
In order to adopt containers securely and with confidence, organizations need a combination of container inspection, certification, and policy and trust. These are the elements Red Hat hopes to deliver for customers.
Red Hat recently teamed up with Black Duck to give enterprise customers some peace of mind when it comes to container security. The collaboration between the two establishes a secure model for containerized application delivery by verifying that containers include only certified content that is free from known vulnerabilities.
“Container technology is another breakthrough in the constant drive to increase development agility and get products to market more quickly. Speed and agility are key drivers for container adoption in the enterprise, but not at the expense of security,” explained Lou Shipley, CEO, Black Duck. “The Black Duck-Red Hat collaboration is rooted in the collective value that we deliver from an open source perspective, by helping to make containers safe for enterprise use.”
Open source software and component libraries are both valuable for effective and efficient software development, but pose problems when vulnerabilities exist. Red Hat is integrating Black Duck’s container scanning and open source vulnerability mapping tools with its OpenShift Platform-as-a-Service (PaaS) solution. Black Duck’s KnowledgeBase includes information on 1.1 million open source projects and detailed data on more than 100,000 known open source vulnerabilities.
“A significant part of an enterprise-ready container strategy is the ability to trust the code across the entire lifecycle of a containerized application, from development to management,” stated Lars Herrmann, general manager of integrated solutions for Red Hat. “Red Hat and Black Duck are extending the value of Red Hat’s platform and certification process to the broader developer community and our customers in addition to our robust partner ecosystem.”
Red Hat claims that OpenShift is an enterprise-ready, Web-scale container application platform based on Docker-formatted Linux containers, Kubernetes container platform orchestration, and Red Hat Enterprise Linux. The Black Duck Hub monitors and ensures security so customers can develop and use containerized applications with the knowledge that the underlying code has been validated as secure.