CoreOS Service Scans Containers For Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
01:20 PM
Connect Directly

CoreOS Service Scans Containers For Vulnerabilities

CoreOS, supplier of a slender Linux for container hosts, has launched a container scanning service capable of detecting vulnerabilities.

Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
(Click image for larger view and slideshow.)

Containers may become a more secure way to deploy application software into the data center than their "uncontained" counterparts, if Docker and CoreOS have their way.

Docker has a major security announcement under wraps that it plans to reveal with the opening of DockerCon Europe in Barcelona on Monday, Nov. 16, a spokesman confirmed this week.

Perhaps in anticipation of the Docker announcement, CoreOS made its own security news at 10 a.m. PST today, Friday, November 13. (Hopefully the choice of dates won't prove to be bad luck.)

Quay, the CoreOS registry of container images -- container-formatted software able to be sent to a host -- now has a service that will scan images for vulnerabilities.

CoreOS CEO Alex Polvi said that there are millions of container images on the Quay hosting site put there by CoreOS customers. At least 80% contained some vulnerability that showed up in a layer-by-layer scan. "The number is pretty staggering," Polvi said in an interview.

Heartbleed appeared 18 months ago. "We discovered it is still a threat to 80% of the Docker images stored on Quay," wrote Quentin Machu, a CoreOS security specialist in a Nov. 13 blog post.

(Image: maxkabakov/iStockphoto)

(Image: maxkabakov/iStockphoto)

Quay Security Scanning is being launched today as a free beta service for users of Quay on the CoreOS site.

In effect, the service examines the software layers in a container and goes out to reference sites provided by Red Hat, Ubuntu, and Debian to check what it's just scanned against a listing of known vulnerabilities for certain software modules. If the module or layer scanned is considered secure, the scan discovers that and moves on to the next layer. If a layer possesses a known vulnerability, the reference sites note that as well and Quay Security Scanning reports the vulnerability to the software owner.

Quay Security Scanning isn't doing a static analysis of the code, that is, inspecting code on its own for vulnerabilities. It's simply identifying code modules in a container against what's known about that release on the reference sites, Polvi explained.

At the same time, CoreOS is launching an open source project, Clair, under an Apache 2 license. That will make the scanning engine available to anyone. "We are giving away the critical pieces of the scanning engine so other tools and other vendors can use it," Polvi said.

Machu also added additional explanation on the Heartbleed detection: "Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn't suited for that level of analysis and teams should still undergo deeper analysis as required," to determine the proper response.

[Want to learn more about what else CoreOS has done in security? See CoreOS Adds Intel Security to Rocket.]

Doing so will make use of containers a more secure method of operation. Clair is not based on other open source tools. It's code that was constructed internally, he added. Outside developers may access the code through GitHub, contribute to the project, and suggest areas where it can be improved or expanded upon, Polvi said.

In the long run, containers have a shot at becoming a way of packaging code and moving it around that is more secure than predecessor methods. Because so much is already known about the code from its security scan and container formatting, it can be run with greater assurance in the data center than code that's been recently downloaded or otherwise brought in from the outside.

"You have an artifact that you can handle out of band [outside of production operations]. Security is not just the isolation of a running system. It's about moving and managing the code -- all big security aspects -- which containers greatly improve," Polvi said.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/14/2015 | 1:24:24 PM
Re: Use containers for security

Really liked what you had to say here-

Because so much is already known about the code from its security scan and container formatting, it can be run with greater assurance in the data center than code that's been recently downloaded or otherwise brought in from the outside.

Looking at things purely from a Business perspective it makes so much sense to have something which just works and which you can trust blindly to deliver the Goods whenever you ask it.

No ifs and buts.

If IT Departments already have so much faith in the Container and especially its formatting that saves them enormous amounts of Time and Money(and wasted resources in scanning something which has been downloaded from the outside).

I was wondering a lot about Clair-What does CoreOS gain in giving it away from Free via GitHub?

Is it simply a question of Wider adoption of the Tool or is there more here than meets the eye?



Charlie Babcock
Charlie Babcock,
User Rank: Author
11/13/2015 | 5:40:17 PM
Use containers for security
We think of containers as a way for developers to move code around more easily. What if their real value is that they allow us to applications around and run them more securely? Containers are beginning to offer a combination of benefits that will make them well  nigh irresistable.  
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll