Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
2. How Pervasive is Open Source?
• > 98% of the applications
tested used open source
• On average, open source
comprised over 30% of the
code base
Open
Source
Custom
Code
Composition of software tested across
1400 Black Duck customers
Reference:Black Duck Softwareaudits
3. Building Trust & Confidence is Critical to Adoption of Docker
Security is ranked as the #1 adoption challenge for containers
• 60% of customers are concerned about container security and lack of
certification/image provenance
• 40% of available container images in contain High Priority Vulnerabilities
• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,
Shellshock, Venom, Ghost
3Black Duck Customer Conference
4. Areas of Concern
Docker security issues fall into three main categories
• Docker itself and the infrastructure it uses
• The authenticity and provenance of the images themselves
• The security profile of the content within the containers Docker runs
4Black Duck Customer Conference
5. Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• attacks targeting the host system coming in through Docker would
have root privs
• Many Docker containers run with the –privileged flag set which extends
privileges of the container allowing it to access all devices on the host
system (BAD Idea).
5Black Duck Customer Conference
6. Responses
Linux adaptations to counter the threat
• Red Hat Atomic Host
• SE linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
• VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for running
containers at scale
• Lightwave used for managing authorization and identity management
6Black Duck Customer Conference
7. Container Contents
Containers can be vulnerable by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack
vectors in the same way they can in traditional deployment models
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –
privileged flag set
• Different OS flavors and versions, as well as different module versions
• Based on any one of many Linux distributions
• Patches must be managed carefully
• Security, but also compatibility & supportability
7Black Duck Customer Conference
8. Responses
Manage and monitor container content carefully
• Dockerfile analysis is insufficient
• .tar, .zip files could have anything inside them
• Other layers are just referenced from other registries
• Asking the package manager is insufficient
• Not all modules are under package manager’s purview
• Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
8Black Duck Customer Conference
9. Microservices
The more containers you spin up, the larger attack surface you expose
• Speed is critical
• Speed to detection of problems
• Speed to remediation
9Black Duck Customer Conference
10. The Black Duck Solution
Black Duck key differentiators
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting
10Black Duck Customer Conference
11. Key Integration Points
Many options for workflow
• Scan on any Docker host by accessing images through the Docker
daemon
• Scan on RH Atomic Host with file system level integration
• Scan directly against a Docker registry
• CI tools: Jenkins, Bamboo, etc.
• OpenShift (currently in development)*
11Black Duck Customer Conference