Container Vulnerability Management with OpsSight

Evan Klein is the Senior Product Marketing Manager at Black Duck Software.

Containers allow IT operations teams to deploy and run hundreds or even thousands of containers at any given time. But this rapid deployment has created challenges in validating the contents and security of third-party container images. And when a new vulnerability is discovered, quickly identifying precisely which images and containers are affected is critical.

Last year, Black Duck built a container scanning solution into Black Duck Hub which provided deep container inspection (DCI) of many open source components used in the operating system user space, as well as applications and libraries that might be added to containers by developers. This enabled developers to inventory open source components and evaluate related risks before pushing them into production. However, at the rate of deployment today, any solution that can only scan one image at a time simply won't scale to this new reality.

Introducing Black Duck OpsSight

Our new product, Black Duck OpsSight, is a scalable security solution for OpenShift Container Platform that brings open source visibility and control to operations teams managing large-scale container deployments.

OpsSight for OpenShift automatically discovers images as they are used, by listening for changes within the ImageStream and Kubernetes pod events. It then performs deep container inspection on both operating system and application layers to identify open source security and compliance risks at any phase of container construction. OpsSight is integrated directly into Red Hat OpenShift Container Platform, so operations and infrastructure teams can manage open source security risk efficiently and at scale.

A Proactive and Scalable Approach to Container Security

Some solutions in the market provide runtime security for containers, which is an important measure to take, but a reactive approach to security. These tools monitor running containers to determine whether any breaches have been attempted. OpsSight takes a proactive approach by finding vulnerabilities in the base image, allowing operations teams to fix problems before they even make it to production. When new vulnerabilities are reported, OpsSight alerts teams automatically if images in their registry are affected — so they can fix them before hackers attempt an exploit.

OpsSight provides the first proactive and scalable security solution for container deployments in three ways:

  1. Automatically scanning for all images as they are pushed into production and anytime they are altered.
  2. Annotating the images with metadata around open source use, allowing you to flag images that violate policies and prevent them from running in production.
  3. Continuously monitoring for newly reported open source security vulnerabilities, providing alerts so teams can find and fix vulnerabilities before hackers can exploit them.

Other solutions scan single images, but that approach just isn't scalable for modern deployments. Containers are lightweight and easy to configure, allowing IT organizations to deploy and run more applications faster and more reliably. Scanning a single image creates an unmanageable bottleneck in the deployment process. OpsSight scans every image automatically, regardless of source.

OpsSight provides a transparent and automatic method to determine the open source risks embedded in all container images of an OpenShift cluster and allows enterprises and ISVs to deploy third-party containers with confidence. OpsSight will:

  • Identify vulnerable container images within minutes of security disclosures.
  • Map that information back to running containers.
  • Facilitate remediation by continuous scanning of any image as it enters the cluster, regardless of source.
  • Help prevent containers that violate open source security policies from being deployed into production.

Watch the video for more information and to see a quick demo

Putting Security at the Center of DevOps

OpsSight is the next phase of Black Duck's efforts to put open source security at the center of DevOps, by helping operations and infrastructure teams manage open source efficiently and at scale. The OpsSight solution for production environments complements the Black Duck Hub solution which enables open source security throughout the development toolchain, from IDEs to CI/CD tools to repositories. Together, they provide comprehensive open source security from Dev to Ops integrating across the entire software development lifecycle and complementing OpenSCAP to provide a complete security solution.

Black Duck OpsSight and Red Hat OpenShift integration for container security:

You can learn more about Black Duck OpsSight for Red Hat OpenShift and container security at scale and request a demo at https://www.blackducksoftware.com/partners/red-hat.

Categories
OpenShift Container Platform
Tags
,
Comments are closed.