 Hello everyone and welcome to another video of Red Hat OpenShift Container Platform. In this demo, I plan to show an integration between Synopsys Blackduck and Red Hat OpenShift and this can help organizations automatically scan, identify, and monitor the open source and all the container images deployed in Red Hat OpenShift. So I'll provide a brief overview of the Synopsys and Red Hat solution. I'll dive into the architecture a little bit and then we'll jump into the demo. So you can see how Synopsys fits in if you think about all the security methods that are integrated in different points of the DevOps lifecycle. We see Synopsys here is a very good complement to Red Hat OpenShift and their technology addresses the application analysis needs especially on the left side where you can find security issues early which saves time and money. Synopsys has enterprise capabilities and static analysis which is great for your own custom code, software composition analysis or SEA which looks at the code that you bring in and a couple other security methods that you'll find which interact with a running application like dynamic analysis and interactive analysis as well. Today's demo focuses on the Blackduck SCM capability which analyzes the third-party dependencies you bring into your applications for license security and operational risks and any policies that you've created related to your use of those dependencies. And so as we look at the Blackduck for OpenShift architecture you'll see there are several integration points throughout a DevOps lifecycle. I'll be demoing today is the one on the far right where Blackduck has a certified operator. This installs the Blackduck connector. This is a microservice integration with a handful of containers and it's responsible for scanning images when a pod creation event occurs and then serving as the communication service with the Blackduck server to push scan results and to retrieve vulnerability and policy information which will then place on pods as labels and annotations. It is important to note the left side of this diagram where you will have options to integrate the detect functionality in your development tool of choice. Detect is a lightweight client which scans applications and images and interacts with your Blackduck server. All of this is backed by the Blackduck knowledge base. It's a huge database which contains almost four petabytes of data from over 23,000 sources and the security information in that database which includes enhanced security information is maintained and provided by the Synopsys Security Research Center which contains over 15 full-time security researchers. So if we jump over to the demo we're looking at Red Hat OpenShift Container Platform and wanted to show the operator hub if we go to the security category and certified operators you can see the Blackduck connector operator exists. It's just an easy click to install it however Red Hat can provide you with an OpenShift cluster that already has Blackduck for OpenShift installed. So if we take a look at that installation in this cluster you'll see Synopsys Blackduck and the four pods listed here the Opsite Core Pod which is the main piece of this microservice integration in charge of communicating with the Blackduck server and the rest of the containers. The pod processor is in charge of listening to those pod creation API events and writing information to pods form of labels and annotations. Got a Prometheus container that'll give you some metrics on the activity and then the actual scanner container which does the scanning portion when images are created in pods. Now this installation also comes with a demo project in an application the application actually is a running application Java based but if we take a look at this insecure bank deployment pod and scroll up you'll notice there are some labels here from Blackduck. You can see policy violations you can also see pod vulnerabilities. See there's 30 vulnerabilities and so if we jump over to Synopsys Blackduck you'll notice I'm going to take a look at the insecure bank image that was scanned with this integration and you'll see 13 plus 17 that's 30 that's the sum of the critical and high vulnerabilities in this container image. Now this gives you a bunch of data and information on all the open source projects that were found in this container image. Let's just take a quick look at spring framework here and the security vulnerabilities that'll show me the security tab and all the different components that make up this spring framework release so you can see JDBC spring core spring AOP and all the vulnerabilities that are associated with these different components. So if we expand this vulnerability the CVE 2018 to 1275 which is a critical vulnerability for this version of spring framework I can dive into the details and get the same amount of information that you would see on the national vulnerability database. But as I mentioned earlier Synopsys has a cyber security research center which produces Blackduck security advisories Blackduck security advisories provide items like a solution if a fix is available a workaround and their own scoring as well plus there's a lot of technical information that is provided by Synopsys also. Okay so if we go back to the components tab you'll see all of this information relating to all the components that were identified in this application it's organized up top here in an aggregate fashion around security risk which we just looked at license risk around the open source components and their licenses and then operational risk operational risk are things like how many newer versions of this project are available when was this version released and things like commits and contributors. Another great thing about Blackduck is you have the ability to search and so I'm going to go ahead and search on Heartbleed and this can search the entire Blackduck knowledge base for any vulnerabilities or components or projects in your server so you'll notice I have access now to the famous Heartbleed CVE and as well as the BDSA record that was issued for this vulnerability. Okay so if I go back to the dashboard there's one last thing I just wanted to demo and that is the summary tab which provides a really nice overall view of all your projects that you have on your Blackduck server things like your project security risk component security risk the top components that are used in your projects and some nice stats that you see on the left hand side. Now let's jump back to the presentation where I wanted to quickly pop up the architecture diagram again what I just demonstrated is shown here on the right hand side with the Blackduck connector which were those four pods in the Synopsys Blackduck project and we took a look at a Blackduck instance which in the case of the demo was actually hosted outside of the cluster but you can absolutely deploy your Blackduck instance in OpenShift as well but don't forget about the left side of this diagram which I didn't show but it's worth noting again all the integrations available to you to catch those risky third-party dependencies early in the DevOps life cycle. All right I'd like to thank everyone for watching this demo of Synopsys Blackduck on Red Hat OpenShift. To learn more about this demo please head on over to demo.openshift.com or the software integrity pages at Synopsys.com. Take care everyone!