We’ve often talked about the security opportunity that containers and cloud native apps represent. Their declarative, minimalistic, and predictable nature give us a once in a computing generation chance to fundamentally reboot the way we do security. Cloud native apps enable a security approach that can better address real world threats with an efficiency and scale that just isn’t possible with traditional methodologies. One of these advantages of being more declarative and minimalistic is being able to more accurately and deterministically identify security vulnerabilities across apps. Over the past year, we’ve been proud to work with Google on the Grafeas project that’s designed to provide a consistent, automatable way to describe security vulnerabilities in images and help organizations build more secure software supply chains.

As the Grafeas project was being developed, we provided some of the earliest external feedback on the API design and methods based on our real world experience helping secure hundreds of thousands of images across over 80 customers around the world. We were especially happy to help make sure Grafeas provides a consistent way to both create and consume vulnerability data from platforms like Twistlock. This enables customers to choose the best security tools on their security merits, while being confident that the data they produce is pluggable into other systems. The Twistlock platform has always had a wide and deep API and focused on ensuring all our data is accessible in open formats like CSV, JSON, and syslog so for us, Grafeas is just another way we can make that data easier for customers to ingest and reuse.

For Twistlock customers, Grafeas will be an additional way to expose and reuse vulnerability data across your environment. Since we already support vulnerability analysis and prevention directly in the CI process, across every registry, and in every production environment, Grafeas provides a new and more consistent way for this information to be stored centrally and reused by other tools. Grafeas integration is an additive, optional way for customers to interchange vulnerability data but we’re not deprecating or deprioritizing any of our existing methods.

For example, today when we analyze an image in your registry, we store those results in our database and they’re accessible via our UI, our REST API, our push alerts tools like Slack and JIRA, and through standard RFC compliant syslog. However, because there’s no consistent schema for representing this data, nor consistent methods to access it, you may have to do some additional work to get it integrated with your other tools. This consistency is where customers will benefit most from Grafeas. As the ecosystem around it develops, security platforms like Twistlock can create this data in a consistent format that other consumers can natively ingest, reducing the amount of work you need to do and resulting in more secure software supply chains.

Our work on the Grafeas project adds to our strong track record of open source and community contributions to defending cloud native apps – most recently including making Docker secrets pluggable, and leading the development of NIST’s Container Security Guide (SP 800-190). We’ve been proud to work with Google on Grafeas and look forward to seeing how customers use the open exchange of vulnerability data to enable better security across their cloud native apps.

What’s Next:

← Back to All Posts Next Post →