With containers, we’ve changed the way we deploy applications. Now it’s time to change the way we secure them, with container scanning tools for open source.
Containers require a different approach to application security
Containers, which speed time to market and enable continuous delivery, represent a dramatic shift in the way we package and deliver applications. Such a significant change in how we deploy applications requires an equally significant change in how we secure them.
Modern container images typically contain many open source components. These include the base image, dependencies, frameworks, and other helpful open source projects. But open source components can carry a great deal of risk. Some even have software vulnerabilities that could expose sensitive customer data or internal data.
Development, security, and IT operations teams often don’t know of the risks of using open source. So they might use the same application security tools they’ve always used. But because container deployment is rapid and continuous, many of these traditional tools—such as penetration testing—cannot keep up. In short, organizations that use containers need a new approach to application security.
If our annual OSSRA report is any indication, organizations are having trouble keeping track of the open source they’re using. So they can’t be sure whether it contains vulnerabilities. However, tracking these open source components can be nearly impossible considering the scale of many container deployments. And if you don’t know what components you use, you can’t understand the associated security risks.
Container scanning tools for open source
You can gain visibility into open source risks in container clusters with a container scanning tool, such as Black Duck OpsSight. Black Duck OpsSight scans container images for open source components and alerts users of software vulnerabilities in those components. This helps IT and security teams understand and monitor their open source vulnerabilities at scale.
What Black Duck OpsSight does:
- Automatically identifies container images and scans for all known open source vulnerabilities in the cluster.
- Uses Black Duck Security Advisories (BDSAs) to provide actionable remediation guidance.
- Provides policy management so teams can define and enforce policies around acceptable risk and flag containers in violation.
- Continuously monitors for new security disclosures affecting production containers and proactively notifies IT operations teams of the security impact.
What’s new in Black Duck OpsSight 2.2
More organizations are adopting containers to quickly and continuously deliver applications. So container technologies are growing more diverse. Some organizations have chosen lightweight alternatives to the Docker runtime, such as CRI-O. And many are updating to Kubernetes 1.13 to manage their cluster life cycle with kubeadm.
So we’re excited to announce that Black Duck OpsSight 2.2 extends support to CRI-O environments and Kubernetes 1.13. Now those using the newest runtimes and orchestrators can effectively manage open source security risks in their clusters at scale.
In addition to Kubernetes 1.9.1–1.13, Black Duck OpsSight also supports Red Hat OpenShift 3.6–3.10, AWS Elastic Kubernetes Service, and Google Kubernetes Engine.
Finally, overburdened IT operations teams cannot afford to waste time configuring security solutions to meet scaling requirements. Black Duck OpsSight 2.2 uses the Synopsys Operator, based on the Kubernetes Operator Framework. This technology simplifies OpsSight deployment and management. It also enables better coordination between OpsSight and the Black Duck server and improves the fault tolerance of the entire solution.
Learn more about scanning and monitoring your containers for open source vulnerabilities.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Charlie Klein. Read the original post at: https://www.synopsys.com/blogs/software-security/container-scanning-black-duck-opssight/