There are some movies which provide an immediate dose of entertainment for 2 hours and you instantly forget them afterwards. Others lurk within you, and constantly resurface to make you think about ideas or concepts. The 2002 movie Minority Report is one of the latter. In it, a police department is setup to investigate “precrime” based on foreknowledge provided by psychic humans called “precogs”. The dilemma of penalizing people who have not actually done anything is an interesting philosophical conundrum that resonates in contemporary topics. One example is the potential for insurance companies to not cover people who show genetic disposition to certain illnesses, even while not being ill.
In the modern world rather than the future shown in the movie, computer crime and, more broadly, data breaches are now so common that we barely notice them, despite the fact they often have material impacts on us as individuals (see: Equifax). Fortunately, we actually do have something close to precogs in the software world which, while not allowing us to arrest criminals, do allow us to know when something is really likely to happen and do something about it.
Many vendors and government agencies produce long lists of known software vulnerabilities that have a good chance of being exploited. Yet, the reality is that most organizations don’t do anything with them because they don’t even know they are running the affected software or because they do know what is running but don’t have the time to fix it.
I recently joined Anchore as VP of Products motivated by the opportunity to fix this problem. Like many, I’ve been amazed at the huge uptake in containers across the industry and, as a long time open source advocate, excited about the way it has allowed companies to take advantage of the huge ecosystem of open source software. However, I’ve also been cognizant that this new wave of adoption has increased the attack surface for companies and made the challenge of securing dynamic and heterogeneous environments even harder.
In meeting with the team at Anchore, it was clear that they really understood containers and had gone a long way to solving the problem. The solution that Anchore has built not only tells you what software you are running (by scanning your repos) but enables teams to prevent bad software being deployed in the first place, using customizable policies which react to defects found in operating system and software library packages, as well as poorly implemented best practices. By enabling so-called DevOpSec processes, Anchore can help development teams become more efficient and spread the load of security responsibility - the only way we can tackle the mountain of vulnerabilities that come out every day. It may not quite be precogs, but it’s pretty close.
I’ve been creating and deploying infrastructure software for over 20 years so have probably contributed a fair degree of security flaws to the world. I’m looking forward to joining the other side and working with our customers to making the new cloud native world a more secure one.