Vendorless – Security the Open Source Way

Whether you love or hate the term, ‘serverless’ is one of the hottest new trends in the cloud computing world. Despite what the name may suggest, there are certainly still servers running your code, the real innovation here is that you do not need to manage these servers you just publish your code to be run by the serverless infrastructure. This architecture can be better described as FaaS: functions as a service or BaaS: backend as a service. Amazon lead this innovation with its Lamda service and other cloud providers have followed suit, including Google with Google Cloud Functions and Microsoft with Azure Functions.

Why CVE Scanning Still Isn’t Enough

Why CVE Scanning Still Isn’t Enough

On Thursday the Node Package Manager team removed a node package from the registry. You can read more about the discovery in this bleepingcomputer article or on incident reported on the the npm blog. This package was found to have a malicious payload which provided a framework for a remote attacker to execute arbitrary code. While the module was removed from the NPM registry you may already have this module in your environment.

The Container Chronicle Volume 2

When we launched the Container Chronicle newsletter we planned on making this a monthly newsletter to make sure there was enough content to make it a worthwhile read while not making it too long. Well, two weeks later there was so much interesting news even before we...

Driving Open Source Container Security Forward

When Anchore was formed there was an obvious gap in terms of open source container security and our goal was to fill that gap with the best in breed container scanning solution that added not just reporting but policy based compliance. At the same time we were working on Anchore CoreOS released the Clair project which provided an open source vulnerability scanner. We are big fans of the work CoreOS has done in the container community so we looked into that project but saw a number of gaps: