New tech for Ops crew: Scanning containers for open-source vulns

Pushed out by newly acquired Black Duck

By John Leyden

Posted in DevOps, 9th November 2017 10:09 GMT

Black Duck has launched a product that provides automatic detection of known open source vulnerabilities for containers.

The release of the tech comes days after Synopsys agreed to acquire Black Duck for $565m in a deal expected to close in December.

OpsSight, Black Duck’s first product specifically targeting the production phase of the software development life cycle, was unveiled at the firm’s annual user conference – Flight2017 – on Tuesday. The technology is designed to allow organisations to validate the contents and securing container images in production, an increasingly important requirement as use of container technology becomes more commonplace in software development.

“OpsSight allows operations team to be sure deployments are free from known open source security vulnerabilities because it provides full visibility into and control over the open source in the container images,” Black Duck chief exec Lou Shipley said.

The initial version of OpsSight has been optimised for Red Hat’s OpenShift, an enterprise-grade container platform based on industry standards, Docker and Kubernetes.

OpsSight offers automated scanning and inventory of open source in container images as they are instantiated or updated. The technology flags up any images that contain known security vulnerabilities, preventing them from being deployed to production.

Clive Longbottom, the founder of analyst house Quocirca, explained that scanning for vulnerabilities in containers was crucial for coding hygiene.

“If using older style containers where raised privilege can drill down to shared platform, it is a necessity, as otherwise can bring down the whole platform,” Longbottom explained. “For newer versions, it is still needed as would be for any other platform however, Black Duck scans for more than security: also scans to identify which open source licences are being used, ensuring organisations stay in compliance, particularly when selling on software.”

Open source guru Gordon Haff agreed that there’s a general need to inspect containers for security vulnerabilities. Haff explained: “It's like open source more broadly. Where did the software come from? Is it up to date? What are its dependencies?

“It's even easier to download containers and just stick them into production than with software packages more broadly,” he added.

Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.”

Software vulnerability and patch management expert Flexera added: “Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.” ®

Container security is a terra nova for security software startups several of which are looking to make their mark. For example, Aqua Security has developed a security technology designed to stop rogue containers from misbehaving at run-time. ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Google, Lyft, IBM mix microservices into management mesh

Kubernetes cluster cat herding, brought to you by Istio

Microservices 101

Supported The big picture revealed and the tech explained

Google Grafeas can handle the truth: Web giant and pals emit tool to wrangle containers

Open-source project aspires to spare you from dependency hell

OpenStack Foundation backs 'virtualized containers', for security's sake

'Kata Containers' blends every-container-gets-a-kernel tech from Intel and hyper.sh

Cisco throws everything it has at containers, hybrid cloud

Container Platform hooks Kubernetes to all the Borg's bits

Red Hat wraps AWS in OpenShift containers for easy consumption

Linux vendor insists on thinking inside the containerized box

Containers? Ha! Ain't no party like a Tupperware party, boasts Facebook

OS Summit No Docker or Kubernetes under The Social Network's hood

Open source, says me: Alibaba chucks MariaDB a $27m funding round

Chinese biz links up database tech with cloud platform

Speaking in Tech: Did an open source guru just ask us to join Amazon?

Podcast We must have misheard... Plus - a Windows 10 Xmas