Innovation

Red Hat and Black Duck partner to secure containers

Red Hat and Black Duck want to make sure that when you run a container, it's really the container you want to run and not a rogue package.

Written by Steven Vaughan-Nichols, Senior Contributing Editor Oct. 20, 2015 at 2:22 p.m. PT

RALEIGH, NC -- We love Docker and containers. But, the more we use containers the more we worry exactly what it is we're running when we spin them up. So, Linux giant and cloud power Red Hat and Black Duck, a leader in automating securing and managing open-source software, are working together on establishing a secure and trusted model for containerized application delivery.

Red Hat and Black Duck tackle the crucial question: "What's really in those containers?"

We love containers because they enable consistent operating environments for development, testing, and deployment. That's the good news. The bad news is that container security has lagged behind its advantages.

Containers are black boxes. It's hard to see exactly what inside a container. People assume that a WordPress container contains a fully-patched, ready to run version. That's a bad assumption.

Today, we don't have an automated way to be certain of a container's provenance, certification, and the quality of the code within it. Because of this, trust has emerged as a reason why enterprises are hesitating about container adoption. Indeed, a recent Red Hat-sponsored survey of more than 383 global IT decision makers and professionals found that 60 percent believe that container security, certification, and image provenance as key issues.

There's reason. According to a May 2015 study by BanyanOps, more than 30 percent of official images in the Docker Hub contain high priority security vulnerabilities. Therefore, we really need Deep Container Inspection (DCI), combined with certification, policy and trust, to be part of the container ecosystem.

What a hybrid cloud is in the 'multi-cloud era,' and why you may already have one

Now that the services used by an enterprise and provided to its customers may be hosted on servers in the public cloud or on-premises, maybe "hybrid cloud" isn't an architecture any more. While that may the case, that's not stopping some in the digital transformation business from proclaiming it a way of work unto itself.

Read now

That's where the Red Hat and Black Duck partnership comes in.

Their idea is to provide certified container verification. As the first part of this collaboration, the companies will integrate Black Duck Hub, Black Duck's container scanning and vulnerability-mapping software, with OpenShift, Red Hat's Platform-as-a-Service (PaaS) cloud offering. This will then deliver potential vulnerabilities reports.

The Hub's foundation is Black Duck's KnowledgeBase. This contains information on 1.1 million open-source projects. Within it, you'll find detailed data on more than 100,000 known open-source vulnerabilities with more than 350 billion lines of code.

In the long run, the companies plan to include Black Duck technologies as a component of Red Hat's container certification.

Related Stories:

Editorial standards

Show Comments

Red Hat and Black Duck partner to secure containers

What a hybrid cloud is in the 'multi-cloud era,' and why you may already have one

What a hybrid cloud is in the 'multi-cloud era,' and why you may already have one

Related

Logitech mouse and keyboard users are getting a free AI upgrade

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

The best AI image generators to try right now