Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

1. Contain your risk:
Deploy secure containers
with trust and confidence

2. Speakers
Brent Baude
Principal Software Engineer-
Atomic and Docker
Development, Red Hat
Randy Kilmon
VP, Engineering, Black Duck

3. Today’s Topics
1. Overview of Red Hat and Black Duck
Container Security Partnership
2. State of Application Security and Open
Source
3. Container Security Best Practices
3

4. Joint Value for Container Security Partnership
• Greater adoption of Docker
containers with trust and
confidence
• Move from test/dev to
production workloads
• High-value or security-sensitive
applications
• Address CISO & Security needs
• Use existing and proven Black
Duck-based risk management
programs
Value to Customers
(Enterprises & ISVs)
• Automate security of Linux
containers in production with
CI/CD integrations and trusted
platform (OpenShift / Atomic
Host)
• Differentiate with integration of
enterprise-grade Risk
Assessment by Black Duck

5. Open Source Embraced By The Enterprise
OPEN SOURCE
• Needed functionality without
acquisition costs
• Faster time to market
• Lower development costs
• Broad support from communities
CUSTOM CODE
• Proprietary functionality
• Core enterprise IP
• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
Reference: Black Duck Software audits
• On average, open
source comprised
over 30% of the code
base
• > 98% of the
applications tested
used open source

6. OPEN SOURCE CODE
INTERNAL CODE
OUTSOURCED CODE
LEGACY CODE
REUSED CODE
SUPPLY CHAIN CODE
THIRD PARTY CODE
DELIVERED CODE
Open Source Enters the Code Base in Many Ways

7. 4 Factors That Make Open Source Different
7
Easy access to code
Exploits readily availableVulnerabilities are public
Used Everywhere

8. Safe and Trusted Use of Containers Is Critical to Adoption
Security is ranked as the #1 adoption challenge for containers
60% of customers are concerned about container security and lack of certification/image
provenance
40% of general container images in contain High Priority Vulnerabilities
4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock,
Venom, Ghost
98% of companies are using open source software they don’t know about

9. Container Security
Best Practices

10. Top 3 Container Security Concerns
Security of Docker and its infrastructure
Authenticity and provenance of the images
Content within the containers Docker runs

11. Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• Attacks targeting the host system coming in through Docker would have
root privs
• Many Docker containers run with the –privileged flag set which
extends privileges of the container allowing it to access all devices on
the host system (BAD Idea).

12. Linux Adaptations to Counter Infrastructure Threats
Red Hat Atomic Host
• SE Linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for
running containers at scale
• Lightwave used for managing authorization and identity
management

13. Container Content Vulnerabilities
Containers can be at risk by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack vectors
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –privileged flag
set
• Different open source flavors and versions, as well as different module
versions

14. Ensuring Content Integrity
Manage and monitor container content carefully…
• Dockerfile analysis is insufficient
.tar, .zip files could have anything inside them
Other layers are just referenced from other registries
• Asking the package manager is insufficient
Not all modules are under package manager’s purview
Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!

15. Container Security - Industry Efforts
Docker
Founder Solomon Hykes announced Nautilus project in opening day keynote
speech of DockerCon EU in November.
• Focused only on their 91 “official” (read: carefully/manually curated)
images
• Some static analysis
Red Hat
Container Certification Program
• Tested, certified, signed, supported container images for Red Hat and
partner offerings
• Dockerfile inspection

16. Red Hat Container Certification
UNTRUSTED
● Will what’s inside the containers compromise your
infrastructure?
● How and when will apps and libraries be updated?
● Will it work from host to host?
RED HAT CERTIFIED
● Trusted source for the host and the containers
● Trusted content inside the container with security fixes
available as part of an enterprise lifecycle
● Portability across hosts
● Container Development Kit
● Certification as a service
● Certification catalog
● Red Hat Container Registry
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP

17. Black Duck – Level 2 Container Security
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Docker host integration for scanning images
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting

18. The Black Duck KnowledgeBase

19. Red Hat Atomic +
Black Duck Hub
Integration

20. Red Hat
container
scanning API
Enabling multiple container scanners via a simple interface
RED HAT
CONTAINER
SCANNING
INTERFACE
MORE SECURE CONTAINERS WITH PLUGGABLE
SCANNING CAPABILITY

21. User-friendly wrapper for
containers
Significant function add
focused on ease-of-use
Scan sub-command
• Scan sub-command is
modular, allows for scan-
based plugins.
• Intended for ISVs or
customized plug-ins
Atomic CLI (https://github.com/projectatomic/atomic)

22. List shows which scanners
are configured for the system
• For RHEL, atomic is pre-
configured with the
openscap scanner
Atomic Scan

23. Installing the Black Duck Scanner is Simple with Atomic
Pulls the correct image from the registry
Runs a configuration script

24. Use --scanner to
choose the desired
scanner
Default scanner
can be defined
/etc/atomic.conf
Black Duck Scanner - Installed

25. Scanning an Image
Local Docker daemon shows 3 images. Lets scan one.

26. Scanning is Easy
Simple test scanning the RHEL7 image from the Red Hat registry.
At the end of the scan, you receive a URL to examine the report on the
Black Duck web interface.

27. Scan one or more
containers and/or images
--containers, --images, --all
--rootfs allows you to scan
a mounted filesystem
Think libguestfs mounts of
your VM’s
Additional Scan Options

28. • Scan code to identify OSS
components in use
• Understand risk factors
(security, license,
operational)
• Identify licenses, versions,
community activity
• View known security
vulnerabilities associated
with OSS in use within
your projects
• Monitor for new
vulnerabilities
Identify OSS and Understand Risk

29. Review project
vulnerabilities
Assess, triage and
prioritize
Schedule and track
planned and actual
remediation dates
Review Bill of Materials

30. Review project vulnerabilities
Assess, triage and prioritize
Schedule and track planned
and actual remediation dates
Triage & Remediate Vulnerabilities

31. Monitor for New Vulnerabilities

32. Cockpit – Browser Based Administration Tool
http://cockpit-project.org/
Can manage containers
New proposed features:
Working to display vulnerable images|containers
Allow users to scan from the web UI

33. Next Steps ...
Identify critical container images
Perform a free scan of those images
Identify Hub integration points in your development process
Transition to a minimal container host
Implement policy to monitor for security risk

34. Free Container Tools and Information
Free Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub
• https://info.blackducksoftware.com/Hub-Free-Trial.html
Red Hat Atomic Host Integration (Requires Black Duck Hub)
1. atomic install blackducksoftware/atomic
2. atomic scan --scanner blackduck [container]
Red Hat Container Content
• https://www.redhat.com/en/insights/containers
• https://www.redhat.com/en/technologies/topic/containers

35. Questions
35
redhat@blackducksoftware.com
http://www.blackducksoftware.com/redhat