CoreOS Offers Automated Security Checks As A Service
Clair 1.0 is ready for production use to make containers more secure. Also, new threats will be added to its vulnerabilities database.
8 Ways SaaS Delivers Business Value
(Click image for larger view and slideshow.)
CoreOS has delivered the first version of its container security inspector, Clair Container Image Security Analyzer. Clair is an inspection engine that looks through the built-up software layers of a given container to see which ones hold outdated code with known vulnerabilities.
When it finds one that does, it sends an alert to the owner and identifies the layer that needs a software update. It's often able to provide a reference to the correct update. CoreOS announced the availability of Clair 1.0 on March 18.
CoreOS uses a version of Clair on its own site, whereas an online version of Clair watches over the CoreOS container registry service, Quay.io. The beta version of Quay Security Scanning was based on a pre-1.0 release of Clair.
CoreOS, maker of the Rocket container runtime and CoreOS Linux for container hosts, announced Clair and the scanning service four months ago.
Analyzing the results of Clair's use there, CoreOS concluded that 70% of vulnerabilities could be fixed by updating the installed software in the container image. It also could see that many of the vulnerabilities that were rated as high or critical already have patches. All that's needed to eliminate exposure is to apply the patch.
The Heartbleed vulnerability "has been known for over 18 months, yet scanning (by Clair) found it is still a potential threat to 80 percent of the Docker images users have been stored on Quay," wrote Quentin Machu, a CoreOS software engineer, in a blog post on Nov. 13, after he had several months' experience scanning container images stored on Quay.
Heartbleed appeared in April 2014 as a buffer overflow vulnerability in the OpenSSL encryption library and prompted a vulnerability-fighting response from the US Department of Homeland Security.
Clair 1.0 is a scanning engine that's out of beta and ready for production use, Machu wrote. Clair looks at each layer of a container, and compares its code to the reference code in the Common Vulnerabilities and Exposures database maintained by US-CERT, the Office of Cybersecurity and Communications of the DHS.
Similar reference databases are offered by Ubuntu, Debian, and Red Hat.
The scanning engine can be accessed through a public REST-based API, so in-house services may be built that provide periodic checks for container vulnerabilities, Machu wrote. Clair 1.0 is also open source code and can be downloaded for use on-premises. Developers may access and trigger the scanning engine through its API to provide homegrown services that check the quality of freshly produced containers and recheck the condition of running containers.
Clair has a "fetcher" subsystem that gathers vulnerability data from public sources. It includes "detectors," which index container images by the code modules they contain. The index becomes a reference point if that module is found to need a patch. The index can then reference containers in the registry that contain the module.
It also has notification hooks so that when a new vulnerability is discovered no time is lost in getting notices out to the parties that have expressed interest in being alerted.
CoreOS will be presenting on the capabilities of Clair at OSCON 2016 in Austin in May.
Machu said a primary accomplishment of the 1.0 release is its improvement in performance, mainly by speeding up interactions with "our largest bottleneck," the system's database.
Getting busy humans to do routine checking of containerized software is hard to do, "which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues …" Machu wrote in his March 18 blog post.
"Container images are infrequently updated. But with Clair security scanning, users can identify and update problematic images more easily," he wrote.
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
SaaS As Innovation Driver?Software as a service is the clear No. 1 way enterprises consume cloud. InformationWeek's SaaS Innovation Survey reveals three tips to get the most from SaaS: Make it a popularity contest. Have an escape plan. And remember that identity is the new perimeter.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 25, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."