How secure is your Open Source Infrastructure?

CIO Dialogue Benelux - Peter

Recently we were present at the IT & Digital Leaders / Noord Infosec Dialogue Benelux. Peter Dens explained how Open Source is used in organisations. On top of that, he gave some insights on containers and how to leverage your DevOps into a more secure environment.

How is Open Source used?

Organisations start with Open Source in their infrastructure because of the innovative part. There appear new challenges, e.g. thinking of containers but also automation (CI / CD | Continuous Integration, Continuous Deployment) can be a through challenge in your DevOps chain. Next to that organisations use Open Source for numerous applications. Most of the times no formal processes are in place for updates / patches and you need to control on your own all supporting processes (thinking of patching, backup, monitoring, ….).

Containers

Advantages

The interest of companies in containers is increasing rapidly. Not surprising when we look at all the advantages containers have:
• Containers can run consistently on any server or VM without modification;
• The can encapsulate any patch load and its dependencies;
• By isolation content, resources & networks; you avoid dependency hell;
• Containers are highly efficient. They are lightweight, virtually no performance or start-up penalty

Keep in mind

But please keep in mind the following point when you start with containers:
• Developers build containers • You don’t patch containers, you replace them • Do your OPS people know what’s inside?
• Secrets Management? • Where do they run? • You thought VM sprawl was bad … ?

Tips & Tricks

We have some recommendations and tips:
1. Scan all containers in the container registry;
2. Make use of a central secrets database: Hashicorp Vault, …;
3. Numerous of choices exist for Container Management Platforms: Rancher, Openshift, … ;
4. Get a full grip on your CI/CD;
5. Use Trusted Docker images ( e.g. Red Hat Container Catalog, … ).
We are more than happy to guide you in this flow. Do contact us if you'd like advice on how to secure your environment.

Solutions to secure?

Have you ever thought about the following issues: developers re-use existing code & accessing code, libraries, etc is easier than ever. So you need some vulnerability inventory & licensing Inventory. One way of managing Open Source Risks, is with Black Duck Hub, which is a complete management solution in which you fully discover all open source code, map, identify all vulnerabilities and set up open source policies.

Need more info?

Did you miss this presentation? Take a look at this SlideShare. For sure, do contact us if you'd like some more info on how to secure your environment.

Author: 
Erica (communication)
Please rate this article: 
Date posted: 
30.11.2017