One of the things that IT operations teams don’t much care for when it comes to containers is the lack of visibility many of them have when it comes to the dependency they have on any given operating system they might be running on. Any time a new vulnerability in the operating system gets discovered it’s difficult for an IT operating team to figure out what containers might be affected.
To address that specific issue CoreOS created Clair, an open source analytics tool that inspects container images for known security flaws. Clair, formally released today, enables IT organizations to keep track of operating system vulnerabilities and run a scan to discover if a container image has any issues involving those vulnerabilities.
In addition to now being able to identify the patch or update that eliminates a vulnerability, version 1.0 of Clair adds support for a faster RESTful JSON API that is more accessible than the previous Clair API and a new interface through which IT operations teams can abstract database operations, beginning with support for version 9.4 of Postgres.
Jake Moshenko, product manager at CoreOS, says Clair can also identify the appropriate patch or operating system update to eliminate the vulnerability and, via an open Clair application programming interface (API), enable the IT operations teams to share that information with any number of remediation systems to eliminate a vulnerability. That means rather than delivering a stream of alerts about vulnerabilities, Clair is designed to provide IT operations with actionable intelligence about how any container image might be affected by any given vulnerability, says Moshenko.
In fact, Moshenko says an analysis conducted by CoreOS found that more than 70 percent of detected vulnerabilities could be fixed simply by updating the installed packages in these container images, In addition, CoreOS reports that more than 80 percent of vulnerabilities rated High and Critical have known fixes that can be applied with a simple update to packages in a container image.
Given the size of the operating system attack surface the challenge facing IT operation teams is that there are so many vulnerabilities that it becomes difficult for the IT operations team to keep track of what vulnerabilities are going to directly impact their applications. Moshenko says Clair provides a mechanism for not only automating much of that process, but also doing a routine audit of all the container images an organization might have running at any given moment.
Historically, there’s been a lot finger pointing between developers and IT operations teams over who should be responsible for security. In reality, both camps need to work collaboratively to address the issue. Most hackers are looking for the simplest exploit they can find. If they don’t find one easily, they simply move on to the next potential victim because it’s often not economical for them to spend too much time trying to hack one application when there are plenty of other potential targets. Clair presents IT organizations with an analytics tool to eliminate vulnerabilities in a way that ultimately serves to disrupt the economic model of the hacker community.
There is, of course, no such thing as perfect IT security. But more often than not the IT industry is its own worst enemy. All too often a provider of an operating system will reveal a vulnerability exists at the time it delivers a patch or an update. But because the patch or update does not get installed in a timely fashion, that information is then exploited by the hacker community. Finding a way to easily make sure that everyone realizes what the vulnerability could potential mean for a container image should go a long way towards making sure those patches and updates actually get installed.