CoreOS Offers Automated Security Checks As A Service - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Software as a Service
News
3/22/2016
02:05 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CoreOS Offers Automated Security Checks As A Service

Clair 1.0 is ready for production use to make containers more secure. Also, new threats will be added to its vulnerabilities database.

8 Ways SaaS Delivers Business Value
8 Ways SaaS Delivers Business Value
(Click image for larger view and slideshow.)

CoreOS has delivered the first version of its container security inspector, Clair Container Image Security Analyzer. Clair is an inspection engine that looks through the built-up software layers of a given container to see which ones hold outdated code with known vulnerabilities.

When it finds one that does, it sends an alert to the owner and identifies the layer that needs a software update. It's often able to provide a reference to the correct update. CoreOS announced the availability of Clair 1.0 on March 18.

CoreOS uses a version of Clair on its own site, whereas an online version of Clair watches over the CoreOS container registry service, Quay.io. The beta version of Quay Security Scanning was based on a pre-1.0 release of Clair.

(Image: ismagilov/iStockphoto)

(Image: ismagilov/iStockphoto)

CoreOS, maker of the Rocket container runtime and CoreOS Linux for container hosts, announced Clair and the scanning service four months ago.

Analyzing the results of Clair's use there, CoreOS concluded that 70% of vulnerabilities could be fixed by updating the installed software in the container image. It also could see that many of the vulnerabilities that were rated as high or critical already have patches. All that's needed to eliminate exposure is to apply the patch.

[Want to see the Linux Foundation’s response to Heartbleed? Read "Let's Encrypt" Will Try to Secure the Internet.]

The Heartbleed vulnerability "has been known for over 18 months, yet scanning (by Clair) found it is still a potential threat to 80 percent of the Docker images users have been stored on Quay," wrote Quentin Machu, a CoreOS software engineer, in a blog post on Nov. 13, after he had several months' experience scanning container images stored on Quay.

Heartbleed appeared in April 2014 as a buffer overflow vulnerability in the OpenSSL encryption library and prompted a vulnerability-fighting response from the US Department of Homeland Security.

Learn to integrate the cloud into legacy systems and new initiatives. Attend the Cloud Connect Track at Interop Las Vegas, May 2-6. Register now!

Clair 1.0 is a scanning engine that's out of beta and ready for production use, Machu wrote. Clair looks at each layer of a container, and compares its code to the reference code in the Common Vulnerabilities and Exposures database maintained by US-CERT, the Office of Cybersecurity and Communications of the DHS.

Similar reference databases are offered by Ubuntu, Debian, and Red Hat.

The scanning engine can be accessed through a public REST-based API, so in-house services may be built that provide periodic checks for container vulnerabilities, Machu wrote. Clair 1.0 is also open source code and can be downloaded for use on-premises. Developers may access and trigger the scanning engine through its API to provide homegrown services that check the quality of freshly produced containers and recheck the condition of running containers.

Clair has a "fetcher" subsystem that gathers vulnerability data from public sources. It includes "detectors," which index container images by the code modules they contain. The index becomes a reference point if that module is found to need a patch. The index can then reference containers in the registry that contain the module.

It also has notification hooks so that when a new vulnerability is discovered no time is lost in getting notices out to the parties that have expressed interest in being alerted.

CoreOS will be presenting on the capabilities of Clair at OSCON 2016 in Austin in May.

Machu said a primary accomplishment of the 1.0 release is its improvement in performance, mainly by speeding up interactions with "our largest bottleneck," the system's database.

Getting busy humans to do routine checking of containerized software is hard to do, "which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues …" Machu wrote in his March 18 blog post.

"Container images are infrequently updated. But with Clair security scanning, users can identify and update problematic images more easily," he wrote.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll