Drop, no, wait, deploy Anchore: Security code plunges into containers
Vulnerability scans miss most of the iceberg, startup insists
Schrödinger's cat, as described in a famous thought experiment formulated to explain the indeterminacy of quantum states, sits in a steel box, at once alive and dead.
It's conceit that depends on the opacity of the box. Such blindness is anathema in the information technology industry, where compliance rules demand knowing something about one's corporate software, hardware, and business processes.
Anchore is offering companies a way to see inside the box, specifically Docker container images. On Tuesday, the Santa Barbara, California-based startup announced the open source release of Anchore 1.0, the company's container inspection and analytics platform. There's also an enterprise version, with more bells and whistles.
Containers tend to be more secure than applications running on bare metal, according to consultancy Gartner. But there are risks, as Docker explains on its website. And those risks have brought competitors like Twistlock into what looks to be a growing market.
In a phone interview with The Register, Andy Cathrow, VP of products and marketing, insisted that container security is a significant issue for many customers. Image scanning, he said, has become a common feature among vendors with container-oriented software.
But image scanning only touches the surface of containers, Cathrow contends. "It's what's above the water," he said, noting that such systems provide information about vulnerabilities (CVEs) affecting the software in a container, but they don't provide the depth of information necessary to meet compliance requirements.
In Cathrow's analogy, the container is an iceberg – one that doesn't endanger cruise passengers or imprison cats. Anchore allows companies to deal with what's below the container's waterline. It can apply rules for container deployment based on CVEs, required packages, disallowed packages, library versions, or specific configuration files, as required for image compliance. And it integrates with continuous integration/continuous deployment pipelines.
Cathrow points to a public SSH key Vine inadvertently leaked as an example of the kind of information not available to cursory container scans. The incident didn't involve CVEs, but there were nonetheless configuration problems, he said.
CEO Saïd Ziouani said Anchore will support other container formats and VMs eventually. Ideally, this will occur before technologically driven climate change has done away with icebergs. ®