Red Hat is retooling its enterprise product line around containers, and it's introduced container security components as part of that effort. This week, Red Hat showed off two methods for doing container security scanning from directly within its flagship enterprise OS.
The first of the two techs is the latest version of existing features for Red Hat Enterprise Linux and OpenShift. Back in October of last year, Red Hat and Black Duck Software paired up to offer Black Duck's container analysis tools as part of OpenShift. Both companies came away with something from that deal: Red Hat touted OpenShift-hosted applications as less endangered by known vulnerabilities, and Black Duck got technology that's more of-the-moment than its prior open source licensing auditing system.
The new part is the depth of the integration between Black Duck and Red Hat. Originally, it was limited to scanning containers in the OpenShift image registry. Now, support for Black Duck's scanning engine is being added to Red Hat Enterprise Linux Atomic Host, the OS used as the substrate for OpenShift. In short, you don't need OpenShift to get the scanning benefits anymore; you can get them directly within the latest edition of RHEL.
Red Hat's also adding a preview of a scanning technology from the Open Security Content Automation Protocol (OpenSCAP) project to its container scanning mix in Atomic Host. OpenSCAP is an open source implementation of a general protocol for reporting software vulnerabilities, and it's been previously employed by Red Hat and Suse. Here, it's being used to apply "tools and policies to help assess, measure and enforce IT security measures" (Red Hat's description of OpenSCAP) to the contents of containers, not just to RHEL systems at large.
Container scanning technology in general has risen in response to the popularity of containers. Docker has what could be called a first-party solution, Docker Security Scanning, that's offered as part of its hosted Docker Cloud app delivery service. Twistlock, a third-party technology, provides not only content scanning, but behavioral analysis and auditing as well so that an undetected anomaly doesn't remain undetected when it turns into a case of Software Behaving Badly. Google liked Twistlock enough to add it to Google Cloud Platform's roster of container services.
Red Hat's approach, from the look of it, is to have multiple scanning and protection mechanisms integrated directly into the underlying platform, complementing the container support there. Instead of only making it available through a hosted solution (e.g., one of Red Hat's hosted OpenShift offerings), it can be part of the substrate being used to build said hosted solutions as well.
It doesn't seem likely that smaller-scale container solutions, like the desktop editions of Docker, will have these kinds of protections provided in the same package. They're best suited for the kinds of bundling Red Hat has in mind for RHEL and OpenShift, where such application protection can be applied on a broad scale.