As container and Kubernetes adoption in production has grown, concerns regarding container security, monitoring, data management and networking remain. In order to address these challenges, organizations must lay a secure foundation for modern workloads. Red Hat is an established leader in security for enterprise open source solutions - container security is Linux security. Red Hat Enterprise Linux and Red Hat OpenShift offer a layered approach to securing containers and integrating security throughout the container lifecycle to support mission critical environments. We are continuously evolving to set new standards for security (e.g. DevSecOps) to support our partners and customers across open hybrid cloud.
Today, we’re introducing the Red Hat Vulnerability Scanner Certification: a new certification to validate how security software partners use Red Hat security-related data for Red Hat products. This enables partners to deliver more reliable, consistent reporting to customers for containers to minimize false positives and other discrepancies. As a result, customers using Red Hat Certified partner security solutions can experience a more accurate process for assessing vulnerability risks of Red Hat products and packages including Red Hat Universal Base Images (UBI).
Using a Red Hat Certified scanner means the rich and transparent data produced by the Red Hat Product Security team is utilized by our partners’ scanning products to deliver more consistent scanning results. We have poured a lot of effort into enhancing these data sets in order to give scanning vendors a richer collection of data on vulnerabilities affecting Red Hat products. The result is a more streamlined experience with our partners and an established collaborative ecosystem to help reduce frustration, ease adoption and provide more confidence in the reported outputs for our mutual customers and the entire lifecycle of Red Hat products.
A software security ecosystem based on accuracy, transparency and trust
Available through the Red Hat Partner Connect program, the Red Hat Vulnerability Scanner Certification will enable a more open collaborative ecosystem for container vulnerability scanning. Certified partners are now able to standardize reporting by integrating the Red Hat OVAL v2 security data feed.
Red Hat has long been a CVE Numbering Authority (CNA) for Red Hat technologies and has been publishing OVAL data since 2006. The Red Hat Product Security team, dedicated to the publishing of security data for Red Hat products and packages through various resources, has recently enhanced the Red Hat OVAL v2 security data feed to include new features like product streams and feeds for unpatched Common Vulnerabilities and Exposures (CVEs) based on feedback from customers and partners. With these timely updates, our security partners can now defer to Red Hat to know whether a product is affected by a particular vulnerability and gain deeper insight into which vulnerabilities are addressed (patched) as well as yet to be addressed (unpatched) by Red Hat.
Security partners that complete the Red Hat Vulnerability Scanner Certification will be able to easily integrate Red Hat security data into their container security solutions to minimize discrepancies, display Red Hat severity ratings for CVEs affecting Red Hat supported packages and provide insight into CVEs yet to be addressed by Red Hat.
The Red Hat Product Security team has also published a vulnerability risk report that illustrates the magnitude of Red Hat’s contribution in this space and gives customers a sense of the anticipated benefits of this collaboration.
See it in action
After an extensive pilot phase, several partners have already achieved Red Hat Vulnerability Scanner Certification and are providing immediate support to our mutual customers: Aqua Security, NeuVector, and Sysdig. Four more partners, including JFrog, Snyk StackRox, and Synopsys, are currently in the process of becoming certified. In addition, these certified partners and any in the future, will automatically become members of the new Security Scanning Exchange special interest group, which will support continued collaboration around security scanning best practices to benefit our mutual customers.
Here’s what our security partners have to say about the new Red Hat Vulnerability Scanner Certification:
"Thanks to the Red Hat Vulnerability Scanner Certification, organizations can now use Aqua's comprehensive vulnerability scanning to get an accurate, contextual and actionable view of vulnerabilities in their Red Hat published container images. Achieving consistency in vulnerability assessment will help our customers prioritize remediation, ultimately improving their security posture and accelerating release cycles." - Amir Jerbi, CTO & Co-founder, Aqua Security
"JFrog Xray, part of JFrog’s end-to-end DevOps Platform, is used by large enterprises to ensure security and compliance, while accelerating delivery of both traditional and cloud-native applications. As a leader in DevSecOps, we support Red Hat’s initiative to drive consistency across its security partners. We’re proud to continue to provide seamless integration with Red Hat’s ecosystem, while ensuring that security vulnerabilities identified in Red Hat’s packages are accurate and consistent." - Dror Bereznitsky, CPO, JFrog
"Red Hat is the first company we have seen create an initiative to improve the consistency of scan results from vendors. The Red Hat Vulnerability Scanner Certification will give our customers more confidence in NeuVector's vulnerability management functions." - Gary Duan, CTO, NeuVector
"Snyk and Red Hat share a common goal of enabling customers to accelerate their digital transformation, and build and deploy modern applications more securely. As open source software usage becomes more widespread each year, Snyk and Red Hat will continue to work together to empower developers, IT operations and security teams with tools that enable them to understand their security posture and take ownership of the vulnerability remediation process, regardless of the team they belong to." - Geva Solomonovich, Global Alliances CTO, Snyk
"Container image scanning as part of a Kubernetes-native approach to security continues to be a critical focus for organizations building and deploying containerized applications. Red Hat's new certification program enables developers and DevOps teams to ship applications faster by avoiding confusing discrepancies and false positives, while at the same time, leveraging detailed data to minimize vulnerabilities that are introduced into their clusters. Coupling Red Hat's data with StackRox's existing coverage of vulnerabilities in both images and the Kubernetes platform provides comprehensive vulnerability management for any organization." - Vibhav Sreekanti, VP of Engineering, StackRox
"Patching containerized applications requires accurate security information for components present within each image and any runtime environments used by the application. With open source components available from multiple distribution points, it's crucial that security information and any associated patches match the components origin point. Red Hat's OVAL2 data feed helps provide rich insights surrounding the security status of Red Hat components used within container images – regardless of who authored the image." - Scott Johnson, Senior Director, Product Management, Synopsys
"With the recent high-profile breaches we are seeing, the need for container security should be top of mind for any organizations operating in the cloud. Image scanning is a critical first line of defense. The approach Red Hat is advocating for, and we helped provide input into, will help to create consistency and accuracy in container vulnerability scan results. This will ultimately help developers and DevOps teams to more clearly understand risk and the action they should take." - Omer Azaria, VP of Engineering, Sysdig
More information about the Red Hat Vulnerability Scanner Certification and certified partner container security solutions is available here.
About the authors
Vincent Danen lives in Canada and is the Vice President of Product Security at Red Hat. He joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years.
Lars Herrmann is always found at the forefront of technology. From the early days of Linux to today’s digital transformation built on hybrid cloud, containers and microservices, Lars has consistently helped enterprises leverage open source technologies to drive business results. At Red Hat, Lars leads Red Hat Partner Connect, Red Hat's technology partner program.