New tech for Ops crew: Scanning containers for open-source vulns

Black Duck has launched a product that provides automatic detection of known open source vulnerabilities for containers.

The release of the tech comes days after Synopsys agreed to acquire Black Duck for $565m in a deal expected to close in December.

OpsSight, Black Duck’s first product specifically targeting the production phase of the software development life cycle, was unveiled at the firm’s annual user conference – Flight2017 – on Tuesday. The technology is designed to allow organisations to validate the contents and securing container images in production, an increasingly important requirement as use of container technology becomes more commonplace in software development.

“OpsSight allows operations team to be sure deployments are free from known open source security vulnerabilities because it provides full visibility into and control over the open source in the container images,” Black Duck chief exec Lou Shipley said.

The initial version of OpsSight has been optimised for Red Hat’s OpenShift, an enterprise-grade container platform based on industry standards, Docker and Kubernetes.

OpsSight offers automated scanning and inventory of open source in container images as they are instantiated or updated. The technology flags up any images that contain known security vulnerabilities, preventing them from being deployed to production.

Clive Longbottom, the founder of analyst house Quocirca, explained that scanning for vulnerabilities in containers was crucial for coding hygiene.

“If using older style containers where raised privilege can drill down to shared platform, it is a necessity, as otherwise can bring down the whole platform,” Longbottom explained. “For newer versions, it is still needed as would be for any other platform however, Black Duck scans for more than security: also scans to identify which open source licences are being used, ensuring organisations stay in compliance, particularly when selling on software.”

Open source guru Gordon Haff agreed that there’s a general need to inspect containers for security vulnerabilities. Haff explained: “It's like open source more broadly. Where did the software come from? Is it up to date? What are its dependencies?

“It's even easier to download containers and just stick them into production than with software packages more broadly,” he added.

Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.”

Software vulnerability and patch management expert Flexera added: “Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.” ®

Container security is a terra nova for security software startups several of which are looking to make their mark. For example, Aqua Security has developed a security technology designed to stop rogue containers from misbehaving at run-time. ®