RALEIGH, NC -- We love Docker and containers. But, the more we use containers the more we worry exactly what it is we're running when we spin them up. So, Linux giant and cloud power Red Hat and Black Duck, a leader in automating securing and managing open-source software, are working together on establishing a secure and trusted model for containerized application delivery.
We love containers because they enable consistent operating environments for development, testing, and deployment. That's the good news. The bad news is that container security has lagged behind its advantages.
Containers are black boxes. It's hard to see exactly what inside a container. People assume that a WordPress container contains a fully-patched, ready to run version. That's a bad assumption.
Today, we don't have an automated way to be certain of a container's provenance, certification, and the quality of the code within it. Because of this, trust has emerged as a reason why enterprises are hesitating about container adoption. Indeed, a recent Red Hat-sponsored survey of more than 383 global IT decision makers and professionals found that 60 percent believe that container security, certification, and image provenance as key issues.
There's reason. According to a May 2015 study by BanyanOps, more than 30 percent of official images in the Docker Hub contain high priority security vulnerabilities. Therefore, we really need Deep Container Inspection (DCI), combined with certification, policy and trust, to be part of the container ecosystem.
That's where the Red Hat and Black Duck partnership comes in.
Their idea is to provide certified container verification. As the first part of this collaboration, the companies will integrate Black Duck Hub, Black Duck's container scanning and vulnerability-mapping software, with OpenShift, Red Hat's Platform-as-a-Service (PaaS) cloud offering. This will then deliver potential vulnerabilities reports.
The Hub's foundation is Black Duck's KnowledgeBase. This contains information on 1.1 million open-source projects. Within it, you'll find detailed data on more than 100,000 known open-source vulnerabilities with more than 350 billion lines of code.
In the long run, the companies plan to include Black Duck technologies as a component of Red Hat's container certification.