DevOps

New tech for Ops crew: Scanning containers for open-source vulns

Pushed out by newly acquired Black Duck

By John Leyden

SHARE

Black Duck has launched a product that provides automatic detection of known open source vulnerabilities for containers.

The release of the tech comes days after Synopsys agreed to acquire Black Duck for $565m in a deal expected to close in December.

OpsSight, Black Duck’s first product specifically targeting the production phase of the software development life cycle, was unveiled at the firm’s annual user conference – Flight2017 – on Tuesday. The technology is designed to allow organisations to validate the contents and securing container images in production, an increasingly important requirement as use of container technology becomes more commonplace in software development.

“OpsSight allows operations team to be sure deployments are free from known open source security vulnerabilities because it provides full visibility into and control over the open source in the container images,” Black Duck chief exec Lou Shipley said.

The initial version of OpsSight has been optimised for Red Hat’s OpenShift, an enterprise-grade container platform based on industry standards, Docker and Kubernetes.

OpsSight offers automated scanning and inventory of open source in container images as they are instantiated or updated. The technology flags up any images that contain known security vulnerabilities, preventing them from being deployed to production.

Clive Longbottom, the founder of analyst house Quocirca, explained that scanning for vulnerabilities in containers was crucial for coding hygiene.

“If using older style containers where raised privilege can drill down to shared platform, it is a necessity, as otherwise can bring down the whole platform,” Longbottom explained. “For newer versions, it is still needed as would be for any other platform however, Black Duck scans for more than security: also scans to identify which open source licences are being used, ensuring organisations stay in compliance, particularly when selling on software.”

Open source guru Gordon Haff agreed that there’s a general need to inspect containers for security vulnerabilities. Haff explained: “It's like open source more broadly. Where did the software come from? Is it up to date? What are its dependencies?

“It's even easier to download containers and just stick them into production than with software packages more broadly,” he added.

Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.”

Software vulnerability and patch management expert Flexera added: “Containers are simply a new way to distribute an application and its supporting Infrastructure. All software has defects and compliance issues that need to be discovered and surfaced.” ®

Container security is a terra nova for security software startups several of which are looking to make their mark. For example, Aqua Security has developed a security technology designed to stop rogue containers from misbehaving at run-time. ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

VM-container chimera Kata Containers emerges from lab

1.0 milestone signals readiness for something

They forked this one up: Microsoft modifies open-source code, blows hole in Windows Defender

Rar! That's a scary bug

Using Docker and Windows Server Containers? There's a patch for that

Remote code execution vuln found lurking in Microsoft's open-sourced shim

I got 257 problems, and they're all open source: Report shines light on Wild West of software

It's like a jungle sometimes, it makes me wonder how I keep from going under

Open Source Security hit with bill for defamation claim

Judge okays $260K in defense costs to Bruce Perens and lawyers under anti-SLAPP

Nvidia adds nine nifty AI supercomputing containers to the cloud

Now you can splash out on tons of GPUs if you really need to

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

OpenStack Foundation backs 'virtualized containers', for security's sake

'Kata Containers' blends every-container-gets-a-kernel tech from Intel and hyper.sh

Google Grafeas can handle the truth: Web giant and pals emit tool to wrangle containers

Open-source project aspires to spare you from dependency hell

Finally: Historic Eudora email code goes open source

'Member that innocent, pre-Zuckerberg time?