Container Security: Vulnerability Management from Build to Run

Author: Keith Mokris, Product Marketing Manager, Container Security

Today’s enterprises have embraced containers for their simplicity and contribution to improved development velocity. While developers and devops enjoy this new-found speed to deliver software and value to customers more quickly, security teams are looking to ensure container pipelines are secure and improve the risk posture of applications when they are deployed.

In my work with the container security startup Twistlock, which is now part of Palo Alto Networks, I ended up speaking with a security engineer at a large industry event. He works with development and devops management to ensure the organization’s modern web and mobile applications are built and deployed successfully. The organization was looking to better embed security throughout the application lifecycle. 

Key Steps to Secure Container Pipelines

As this security engineer and I continued talking, I learned his company had leveraged various open source tools for short periods to perform some image scanning, but they had never leveraged a tool to continuously scan their registry or deployed a solution to get visibility into their runtime environments. The organization was looking to:

• Scan images to identify high risk issues
• Leverage tooling that helps to prevent vulnerabilities from making it into production in the first place
• Provide developers with trusted images
• Gain runtime visibility into various containerized environments

This engineer made the implications clear, saying, “We’re using containers in production and praying we’re secure, which probably isn’t a winning strategy. If I started using Twistlock, what would be the immediate benefits that my team could implement and begin to build on?”

This is a good question, and one we get a lot from developers, devops managers and architects. In the next few sections, I’ll share some details on how we can quickly and effectively help by providing security during the continuous integration (CI) / continuous delivery (CD) process, ensuring the security of the registry and offering visibility at runtime.

Integrating Security into the CI Process

Users leverage Twistlock by integrating security and compliance throughout the CI process. In our view, the easiest way to secure cloud native applications is by preventing vulnerable images from making their way through the software development lifecycle (SDLC) in the first place.

Twistlock helps here by integrating with your current build and deploy process. For example, a user can set granular policies to pass or fail a build based on the types of vulnerabilities and compliance issues found before images can be pushed to the registry or deployed to production.

One of those policies might look something like this:

In the build for my payment app, block any build impacted by a CVE with high CVSS rating and for which a vendor fix is available.

Twistlock provides a standalone Jenkins plugin—shown within the Blue Ocean view in the screenshot above—as well as the ability to integrate with any other CI tools such as CircleCI, Azure Devops, AWS Codebuild, or Google Cloud Container Builder using twistcli (our command line scanner), so developers can see vulnerability status every time they run a build. In this conversational example I’ve been using for this blog post, the security engineer would work with the development group to identify and fix images with the highest vulnerabilities in their environments first, then create policies that ensure that proper vulnerability and compliance thresholds are set. 

Gaining Control with Trusted Images

As organizations get more familiar with their images and environment, they typically leverage our Trusted Images feature to control developer access to a specific registry or even specific images or layers. Trusted Images ensure that developers are using verified or approved sources for their images, as well as provide a straightforward way to implement the CIS best practices for container security.

Visibility into your Registry

First and foremost, Twistlock provides the ability to scan and continuously monitor your registry for vulnerabilities. This vulnerability management capability solves a key problem for the engineer I was chatting with at the event. I didn’t ask what type of registry the company was using, but Twistlock works with any of them! Twistlock easily integrates with any registry used today, continually scans those images for vulnerabilities and provides detailed findings with risk prioritization.

In the above screenshot of a demo environment, you can see public images I am scanning on Docker Hub. Twistlock will continuously monitor these images to provide vulnerability and compliance status with the ability for you to get granular analysis at a layer-by-layer view of issues in each image.

Runtime Makes Prioritization Better

While most of this post has focused solely on vulnerability management during the build and in the registry, I want to touch on one of our key differentiators when it comes to runtime: managing risk in running containers and helping teams prioritize efforts to remediate risk in their environments.

Twistlock scans all of the images in the registry, scans images during the build and deploy process, and also continuously monitors any vulnerability changes in your running containers. Twistlock generates a risk score for each of the vulnerabilities we find that are actually running in your environment, taking into account not only risk metrics like CVSS but also a whole host of other metrics. For example:

• Is this container connected to the internet?
• Does it have open listening ports?
• Does it have a security profile attached?

These key factors allows Twistlock to stack rank your vulnerabilities specifically for your environment and let you know where you are most likely to be exploited. This helps to prioritize the mitigation of vulnerabilities for your most vulnerable assets. At the same time, a user can search for any new CVE or security issue in the running environment to know exactly which container is impacted.

In the example above, I’ve shared a screenshot from Twistlock Vulnerability Explorer with the top 10 critical vulnerabilities in my environment. In the first row, I’ve expanded the Risk Tree, which allows a user to see the exact image, container name and name of the host where it is running. The risk score includes contextual data about the specific risk to that container alongside risk factors that allow teams to better assess the impact of a particular vulnerability in a specific deployment.

Conclusion 

Prisma Cloud and Twistlock provide distinct advantages for enterprises looking to analyze their images for vulnerabilities and compliance issues, integrate security into their current build and deploy process and remediate risk easily in their running environments. While I touched on our features for vulnerability management and compliance as part of this example, there are many other immediate advantages of deploying Prisma Cloud and Twistlock.

To learn more about Twistlock, check out our latest demo recording.