Are Open Source Vulnerabilities Hidden in Your Containers?
Containers help development and DevOps teams increase agility and accelerate application delivery. Yet, with these benefits can come a loss of visibility and control for teams deploying and managing them. Containers bundle applications with a lot of software and files you may not know about or want in your production environment. As container adoption continues to grow, so does the risk of potential open source vulnerabilities hidden inside them and the increasing need for container security.
Building open source security into containerized applications
A recent study by Forrester Research cited security as the most common barrier to containerization. And as 96% of applications have open source software components, organizations need to take measures to address open source security throughout the entire DevOps process.
Black Duck Hub gives application development teams visibility into open source, allowing teams to identify, manage, and monitor security, license compliance, and code quality risks inside containers. Hub enables secure and agile development along the SDLC through flexible policy management features and integrations with popular build/CI tools such as Jenkins and TeamCity.
Black Duck OpsSight enables IT Operations teams to scan and monitor the open source risk of containers in the production environment. OpsSight automatically scans containers and identifies open source security vulnerabilities as they are utilized—ensuring a security review process that scales to any containerized environment. OpsSight users can set and enforce policies that prevent containers from running in the production environment unless they are free of open source vulnerabilities.
With Black Duck Hub and OpsSight, you can:
- Scan & Identify Open Source Components in the SDLC and Production Environment: Inventory open source in all layers of your containers, with insights into distribution sources, security vulnerabilities, and patch levels annotated on every vulnerable container.
- Map Known Vulnerabilities: Identify known vulnerabilities for the open source. Find out which ones are already patched and get remediation guidance for those that aren’t using Black Duck’s Knowledgebase™, the most extensive database of open source vulnerability data in the world.
- Monitoring for New Vulnerabilities: Enhance security with early notification of new vulnerabilities as they are reported to ensure that they are not in your running containers.
- Enforce Open Source Use Policies at Scale: Define exception-based policies that automatically flag and prevent containers with open source security vulnerabilities from running in production.