Red Hat and Black Duck Software are collaborating to establish a secure and trusted model for containerised application delivery by providing verification that application containers are free from known vulnerabilities and include only certified content. This validation is a major step forward in enabling enterprise-ready application containers, and builds upon the strengths of each company – Red Hat’s leadership in container technologies and solutions, including its platform and certification strategy, and Black Duck’s unique position as the provider of the most comprehensive identification and earliest notification technologies of open source vulnerabilities.
Because containers enable consistent operating environments for development, testing, and deployment, they are quickly becoming a mainstream technology. Container security, however, – including provenance, certification, policy and trust – has emerged as a challenge for enterprise adoption. A recent survey of global IT professionals commissioned by Red Hat through TechValidate showed that more than 60 percent of respondents identified container security, certification, and image provenance as key issues. Underscoring these concerns is the fact that more than 30 percent of official images in the Docker Hub contain high priority security vulnerabilities, according to a May 2015 study by BanyanOps. Thus, enterprise-level Deep Container Inspection(DCI), combined with certification, policy and trust, will be integral to the development, deployment, and management of containers – which is exactly what the collaboration between Black Duck and Red Hat is aimed at providing.
As an initial part of the collaboration, the companies plan to integrate Black Duck’s container scanning and open source security vulnerability-mapping software - Black Duck Hub - with OpenShift, Red Hat’s Platform-as-a-Service (PaaS) offering, providing reports and data on potential vulnerabilities present in container images made available in the OpenShift registry, a Red Hat-backed repository of validated, secure and trusted container images. Black Duck’s KnowledgeBase provides the backbone for the Hub, and includes information on 1.1 million open source projects, with detailed data on more than 100,000 known open source vulnerabilities across more than 350 billion lines of code.
Black Duck Hub identifies and inventories the open source code in an application, maps any known open source security vulnerabilities and dynamically monitors the inventory, providing alerts on any new vulnerabilities affecting the code.
OpenShift is the first enterprise-ready, web-scale container application platform based on Docker-formatted Linux containers, Kubernetes orchestration, and Red Hat Enterprise Linux. When used with the Black Duck Hub, OpenShift customers can consume, develop and run containerised applications with increased confidence and security, knowing that these applications contain code that has been validated/certified.
In addition, the companies plan to include Black Duck technologies as a set of complementary services within Red Hat’s current container certification workflow for application builders such as Independent Software Vendors (ISVs). Red Hat previously announced an end-to-end certified container ecosystem strategy focused on enterprise readiness and support, similar to the work the company achieved with Linux in the enterprise. Black Duck’s scanning and vulnerability-mapping technology, reporting and KnowledgeBase integration will add to an already robust container certification process.