Recently we were present at the IT & Digital Leaders / Noord Infosec Dialogue Benelux. Peter Dens explained how Open Source is used in organisations. On top of that, he gave some insights on containers and how to leverage your DevOps into a more secure environment.
How is Open Source used?
Organisations start with Open Source in their infrastructure because of the innovative part. There appear new challenges, e.g. thinking of containers but also automation (CI / CD | Continuous Integration, Continuous Deployment) can be a through challenge in your DevOps chain. Next to that organisations use Open Source for numerous applications. Most of the times no formal processes are in place for updates / patches and you need to control on your own all supporting processes (thinking of patching, backup, monitoring, ….).
The interest of companies in containers is increasing rapidly. Not surprising when we look at all the advantages containers have:
• Containers can run consistently on any server or VM without modification;
• The can encapsulate any patch load and its dependencies;
• By isolation content, resources & networks; you avoid dependency hell;
• Containers are highly efficient. They are lightweight, virtually no performance or start-up penalty
Keep in mind
But please keep in mind the following point when you start with containers:
• Developers build containers • You don’t patch containers, you replace them • Do your OPS people know what’s inside?
• Secrets Management? • Where do they run? • You thought VM sprawl was bad … ?
Tips & Tricks
We have some recommendations and tips:
1. Scan all containers in the container registry;
2. Make use of a central secrets database: Hashicorp Vault, …;
3. Numerous of choices exist for Container Management Platforms: Rancher, Openshift, … ;
4. Get a full grip on your CI/CD;
5. Use Trusted Docker images ( e.g. Red Hat Container Catalog, … ).
We are more than happy to guide you in this flow. Do contact us if you'd like advice on how to secure your environment.
Solutions to secure?
Have you ever thought about the following issues: developers re-use existing code & accessing code, libraries, etc is easier than ever. So you need some vulnerability inventory & licensing Inventory. One way of managing Open Source Risks, is with Black Duck Hub, which is a complete management solution in which you fully discover all open source code, map, identify all vulnerabilities and set up open source policies.