Updated Jan. 8, 2021.
Red Hat will integrate Kubernetes security software into its OpenShift platform with the acquisition of StackRox.
Red Hat plans to open source StackRox's proprietary source code, with timing to be determined later, according to a press release. StackRox launched KubeLinter, an open source project that analyzes Kubernetes YAML files and Helm charts to ensure correct configurations, in October.
Terms of the acquisition weren't disclosed. Red Hat expects to complete it this quarter.
Container security, where StackRox got its start in 2014, has introduced or enabled new IT security practices overall, from compliance as code to DevSecOps. Containers lend themselves to immutable or repeatable infrastructure deployment patterns, which are seen as more secure because they are not prone to errors in updates and patching -- in the case of immutable infrastructure -- or human error in the case of automated repeatable deployments, particularly when IT pros use them as part of a GitOps approach.
Kubernetes security in particular has been at the center of discussions among enterprises with the container orchestration platform in production over the last six months, particularly in terms of whether upstream defaults should be replaced with third-party specialist projects. Some upstream Kubernetes security components, such as Pod Security Policies, have languished and will be deprecated in favor of new approaches, the community decided last month.
StackRox and competitors such as NeuVector pivoted from a container security focus in 2018 to a Kubernetes-specific one. StackRox was among the first to deploy its software for container runtime security as a privileged DaemonSet within Kubernetes infrastructure.
This means StackRox software can be automatically and consistently injected into every Kubernetes cluster as it's deployed. That was a selling point for early adopters such as retail software maker Aptos, video streaming startup Mux Inc. and fintech company Greenlight.
StackRox also offers container security scanning within CI/CD pipelines for DevSecOps deployments, an approach favored by enterprise customers such as Informatica.
StackRox will continue to support multiple Kubernetes products, including Amazon EKS, Microsoft Azure Kubernetes Service and Google Kubernetes Engine, and won't be limited just to OpenShift customers.
Existing StackRox customers will continue to receive support from StackRox until the acquisition closes, and then will be shifted to Red Hat support, according to a company FAQ.
StackRox users mull open source plan
Users of StackRox Kubernetes security software had mixed views on Red Hat's plan to make it open source following news of the acquisition.
While StackRox users see Red Hat providing more resources for the relatively small vendor, one expressed concern that opening its source code to the public would introduce risk, since it can run as a privileged workload with root access within Kubernetes clusters.
"It is a big risk for a cyber[security] product," said Nicolas Chaillan, chief software officer at the U.S. Air Force, which uses both Red Hat OpenShift and StackRox. "One mistake and the impact is huge."
There are similar Kubernetes security utilities in the open source world that may have privileged access, such as Falco, and Red Hat has experience working in open source security with its SELinux product, which is also integrated with OpenShift.
Another StackRox user doubted that converting StackRox from a proprietary software core to pure open source would be feasible. Direct StackRox Kubernetes security competitors, such as Sysdig and Aqua Security, lead some open source projects and integrate with open source tools such as OPA and Falco, but also retain some proprietary components.
"I just don't know how much they'd want to open source, or if they're going to open source everything," said Pathik Patel, head of cloud security for Informatica, a StackRox user. "We'll see, but if you look at other players … they have also open sourced a few things, but not the core of their product."
Meanwhile, a third StackRox user said he believes open sourcing StackRox will only help Kubernetes security.
Ken De La GueraSenior DevOps engineer, Greenlight
"For decades, people have talked about open source as a potential security risk -- all of a sudden people can see under the hood," said Ken De La Guera, senior DevOps engineer at Greenlight Financial. "But historically, it's made a product more secure, not less secure. And not just for StackRox, but for any product, if the security of your product depends on obfuscation and people not understanding what's going on under the hood, that's a bad model to begin with."
Red Hat has not yet disclosed full details for how it plans to develop, integrate and donate StackRox code to open source, but echoed some of De La Guera's stance in a statement.
"We believe that open source software enables community collaboration, which only accelerates development and ultimately leads to more stable and secure code," the statement said. "For example, the Kubernetes community open sourced a third party security audit of Kubernetes in 2019 [link in the original]. This kind of information sharing ensures that the community can more easily work together to address concerns quickly."