Attention B2B Marketers: Access 30 Million IT Decision Makers with a Custom Lead Generation Program Click to Learn More!
Welcome Guest | Sign In
Content Marketing on ALL EC

Black Duck Intros Container Scanning

By Richard Adhikari LinuxInsider ECT News Network
Jan 13, 2016 10:10 AM PT

Black Duck Software on Tuesday announced it has added to its Hub software container-scanning capabilities that let users map open source security flaws for applications, Linux distros, and other software in Docker and other Linux containers.

Black Duck Intros Container Scanning

Adding a containerized scanner to a Docker host enables automatic identification of known open source vulnerabilities in all layers of containers on that host, the company said.

"We know from open source audits we conduct that users lack visibility into the open source [software] they are using and therefore cannot control it," said Brian Carter, Black Duck's director of strategic communications.

Black Duck "automatically IDs and inventories the open source [software], then maps known open source vulnerabilities," he told LinuxInsider. It also monitors the inventory for any new vulnerabilities that are discovered.

It's long been a sore point with users that cybersecurity software can detect only known vulnerabilities.

However, "remember that Heartbleed and others were known vulnerabilities," Carter pointed out.

What the Market Needs

Docker may have needed the scanning capability at least as much as users of Hub software do. More than 30 percent of official Docker Hub repositories contain images that are very susceptible to security attacks such as Shellshock, Heartbleed and Poodle, according to a study BanyanOps conducted last year.

Docker maintains a curated list of official repositories through which software vendors or organizations can provide up-to-date versions of their container images.

Nearly two-thirds of the repositories have high- or medium-priority vulnerabilities, BanyanOps found.

There were about 75 official repositories back in May, with about 1,600 tags referring to approximately 960 unique images.

High-profile OpenSSL vulnerabilities such as Heartbleed and Poodle were present in nearly 10 percent of the official Docker Hub images. Some of the images also contained Bash ShellShock.

Docker Hub also has general repositories -- about 95,000 when the BanyanOps study was written -- and hundreds of thousands of unique images.

BanyanOps selected 1,700 images at random for content analysis and found that, overall, high and medium vulnerabilities were present in more than 70 percent of those images.

Official images typically are built on Debian, and many of them contain the Mercurial vulnerability, BanyanOps said.

General images apparently are built more commonly on Ubuntu and have Bash, APT and/or OpenSSL-related vulnerabilities, according to BanyanOps.

"Containers have caught the imagination of developers because they provide convenient bundles for deployment," said Al Hilwa, a research program director at IDC.

"We have been expecting a variety of software development tools to add support for containers, and in this context, it makes perfect sense to see leading code-scanning players like Black Duck support Docker containers," he told LinuxInsider.

However, the vulnerabilities aren't so much an issue of container security as code security, Hilwa pointed out. "Containers are simply another delivery format that needs to be supported."

Containerization Security Concerns Worry IT

Container adoption will skyrocket in the next few years, but IT concerns remain, according to Red Hat.

Of about 380 global IT decision-makers and professionals surveyed for Red Hat last year, 67 percent were planning containerization production rollouts over the next two years.

However, 60 percent were concerned about security and the lack of certification.

Scanning Is a Step, Not the Cure

Adding a containerized scanner to a Docker host is just the first step in combating container vulnerabilities.

"Black Duck helps orchestrate and track remediation," Carter explained. "Black Duck does not remediate."

Scanning tools do enable more secure deployments, but developers still have to take action, IDC's Hilwa said.

Code-scanning technology is analogous to virus-scanning software, he continued.

"A repository of vulnerability metadata or signatures has to be maintained, and the code is scanned against it." Hilwa said. "The role of the scanning software is to keep this metadata up to date."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Facebook Twitter LinkedIn Google+ RSS
How do you feel about accidents that occur when self-driving vehicles are being tested?
Self-driving vehicles should be banned -- one death is one too many.
Autonomous vehicles could save thousands of lives -- the tests should continue.
Companies with bad safety records should have to stop testing.
Accidents happen -- we should investigate and learn from them.
The tests are pointless -- most people will never trust software and sensors.
Most injuries and fatalities in self-driving auto tests are due to human error.