CI/CD / Containers / Security

WhiteSource: Open Source Security Management for Containers

14 Feb 2019 6:00am, by

Chances are, you’re using an open source library. One recent survey reports that 92 percent of applications use at least one open source library. Another survey puts that number even higher, at 96 percent. Point being, open source is ubiquitous. There’s good reason for this, of course — using open source libraries saves you the time and money of reinventing the wheel. It also, unfortunately, can open your application up to security vulnerabilities inherited either from the libraries you choose or the transitive dependencies introduced by those libraries.

WhiteSource, a continuous open source security and license compliance management tool, was created seven years ago to handle this problem and this week is bringing its continuous monitoring functionality to containerized applications and the images that comprise them.

“WhiteSource provides a picture of all the open source components and all their dependencies and provides alerts and dashboards, giving users a licensing, compliance and security picture to tap into their CI/CD pipeline and put in some gates when it comes to open source usage risks,” summarized David Habusha, vice president of product at WhiteSource. “It’s important to have integrations into the various pieces of the CI/CD pipeline starting from the very beginning of building containers and into production. You have to take a holistic approach.”

With its latest release, the company says that it now offers an “end-to-end solution for the detection and remediation of open source vulnerabilities within container images and containers” through the software development lifecycle (SDLC) with Kubernetes support, according to a statement. It does this by way of a “Kubernetes agent that runs silently in the background as a pod in the production cluster, automatically scanning any image deployed to production in new pods,” also monitoring container images stored in Docker Hub, Amazon ECR, Azure Container Registry, and JFrog Artifactory.

“We recently added the capability to support scanning Docker images at rest. When a container image is stored, we have a trigger to auto scan these images and take them out of order if they violate policy. It’s a seamless integration — they hook directly into the platform,” Habusha said. “It’s all about where customers put the security and compliance gates and the maturity of the architecture and CI/CD pipeline.”

Those using microservices will ship these services in containers and would like to ensure security and compliance of these images starting from the build stage down to the container orchestration platform, explained Habusha. “This is what WhiteSource for Containers is all about.”

WhiteSource says it continues to monitor applications post-deployment, not just those actively in development since vulnerabilities can appear even years later. In addition, WhiteSource also includes the container orchestration environment itself in its monitoring.

The company says that as part of WhiteSource for Containers, the tool scans the full platform, including the orchestration engine, for open source vulnerabilities. In the case of the most recent runc vulnerability, the vulnerability was already detected by the time of publication and alerted on multiple customer accounts, including a suggested remediation action.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, JFrog.