How to find open source code vulnerabilities in containers

Randy Kilmon, Vice President of Engineering at Black Duck Software looks at security problems in containers

This is a contributed piece by Randy Kilmon, Vice President of Engineering at Black Duck Software

As was clear at the recent DockerCon 2016, containerization of applications has become mainstream for most enterprises. But as container use grows, it’s imperative to have a clear understanding of the risks associated with the use of containers. To fully benefit from containers, ensuring the security of container deployments is essential.

Container providers such as Docker and Red Hat are aggressively moving towards reassuring the marketplace about container security. Indeed, just this June, Red Hat launched a new container scanning interface to enable security platforms such as the Black Duck Hub and the OpenSCAP scanner to easily plug into the Red Hat OpenShift Container Platform. The aim was to enable users to more easily see what’s running inside their containers and whether the latest security updates have been applied.

Open source vulnerability management is a key aspect to ensuring containers are safe to deploy. From a practical aspect, everyone is using open source. Popular container images on Docker Hub and elsewhere contain hundreds – sometimes thousands – of open source packages, comprising libraries, application frameworks and other utilities and middleware.

Are you including open source vulnerabilities in your containers?

One of the most challenging aspects of container security is finding open source software vulnerabilities. If you’re using open source code within your containerized app—and based on Black Duck research, the chances are good that you are—then the chances are also good that you’re including open source vulnerabilities.

Whether building applications for containers or traditional deployment, it’s critical to use security testing tools to gain visibility into and identify vulnerabilities in your code. Equally important is the need to understand the components (including open source) in the applications, and any risk that may be introduced by those components. Without that visibility, organizations risk exposing their containerized applications to attack. And with over 6,000 open source vulnerabilities discovered since 2014, the risk is very real.

How do you begin? One starting point could be the Black Duck Security Checker, a free tool based on the Black Duck Hub security solution. While limited in scope – the maximum file size for a Security Checker scan is 100 MB and the free service is limited to three scans.


What to look for in an OS security scanning tool

Organizations looking to manage and deploy containers at scale will need the following capabilities in any open source security solution they choose.


  • Deep Insight – A full scanning solution should provide deep insight into the open source being used in the containerized app, including security vulnerabilities, open source license requirements, and open source component health and activity. 
  • Consistent Management of Open Source Risks throughout the SDLC – Ideally the tool will provide a single solution to manage open source comprehensively and consistently across all environments (web, mobile, IoT, etc.), platforms, languages, application types, and delivery models (container vs non-container).
  • Scanning Accuracy – The highest risk for vulnerabilities is in the container application layer. Look for a tool that can effectively identify open source in the application layer.
  • Advanced Vulnerability Data – Many open source security solutions rely solely on information available from the National Vulnerability Database (NVD). Enterprise-level open source security solutions will augment NVD information to provide information for more vulnerabilities than those listed in NVD, give notification earlier than NVD, and provide remediation guidance not found in NVD. 
  • Support for Any Container Environment – A comprehensive open source security scanning solution can be used within any Docker environment and support private, public, and organizational repositories as well as environments not managed by Docker Cloud, including Red Hat Open Shift, AWS, Google, and custom environments.

To fully benefit from containers, employing tools to ensure the security and integrity of container deployments is essential. Security issues such as exploitable vulnerabilities in application components require a process in place to assess the security of your containerized applications throughout their full lifecycle.

The potential of containers is significant, but will only be fully realized by understanding what’s inside the container, and being able to detect and address open source code vulnerabilities.


Also read:

Red Hat: Communicate more to secure containers