Black Duck Intros Container Scanning

Black Duck Software on Tuesday announced it has added to its Hub software container-scanning capabilities that let users map open source security flaws for applications, Linux distros, and other software in Docker and other Linux containers.


Adding a containerized scanner to a Docker host enables automatic identification of known open source vulnerabilities in all layers of containers on that host, the company said.
"We know from open source audits we conduct that users lack visibility into the open source [software] they are using and therefore cannot control it," said Brian Carter, Black Duck's director of strategic communications.
Black Duck "automatically IDs and inventories the open source [software], then maps known open source vulnerabilities," he told LinuxInsider. It also monitors the inventory for any new vulnerabilities that are discovered.
It's long been a sore point with users that cybersecurity software can detect only known vulnerabilities.
However, "remember that Heartbleed and others were known vulnerabilities," Carter pointed out.

What the Market Needs

Docker may have needed the scanning capability at least as much as users of Hub software do. More than 30 percent of official Docker Hub repositories contain images that are very susceptible to security attacks such as Shellshock, Heartbleed and Poodle, according to a study BanyanOps conducted last year.
Docker maintains a curated list of official repositories through which software vendors or organizations can provide up-to-date versions of their container images.
Nearly two-thirds of the repositories have high- or medium-priority vulnerabilities, BanyanOps found.
There were about 75 official repositories back in May, with about 1,600 tags referring to approximately 960 unique images.
High-profile OpenSSL vulnerabilities such as Heartbleed and Poodle were present in nearly 10 percent of the official Docker Hub images. Some of the images also contained Bash ShellShock.
Docker Hub also has general repositories -- about 95,000 when the BanyanOps study was written -- and hundreds of thousands of unique images.
BanyanOps selected 1,700 images at random for content analysis and found that, overall, high and medium vulnerabilities were present in more than 70 percent of those images.
Official images typically are built on Debian, and many of them contain the Mercurial vulnerability, BanyanOps said.
General images apparently are built more commonly on Ubuntu and have Bash, APT and/or OpenSSL-related vulnerabilities, according to BanyanOps.
"Containers have caught the imagination of developers because they provide convenient bundles for deployment," said Al Hilwa, a research program director at IDC.
"We have been expecting a variety of software development tools to add support for containers, and in this context, it makes perfect sense to see leading code-scanning players like Black Duck support Docker containers," he told LinuxInsider.
However, the vulnerabilities aren't so much an issue of container security as code security, Hilwa pointed out. "Containers are simply another delivery format that needs to be supported."

Containerization Security Concerns Worry IT

Container adoption will skyrocket in the next few years, but IT concerns remain, according to Red Hat.

Of about 380 global IT decision-makers and professionals surveyed for Red Hat last year, 67 percent were planning containerization production rollouts over the next two years.

However, 60 percent were concerned about security and the lack of certification.

Scanning Is a Step, Not the Cure

Adding a containerized scanner to a Docker host is just the first step in combating container vulnerabilities.

"Black Duck helps orchestrate and track remediation," Carter explained. "Black Duck does not remediate."

Scanning tools do enable more secure deployments, but developers still have to take action, IDC's Hilwa said.

Code-scanning technology is analogous to virus-scanning software, he continued.

"A repository of vulnerability metadata or signatures has to be maintained, and the code is scanned against it." Hilwa said. "The role of the scanning software is to keep this metadata up to date."