Earlier this year, I was at a large industry event and ended up speaking with a devops lead at a software company related to the social media space. The company, which has both a thriving B2C business and B2B business, leverages containers for most of their internal and external applications. The engineer I was talking to works with dozens of developers on individual application teams to make sure their modern web and mobile applications are built and deployed successfully.
While many companies we work with at Twistlock are moving part or all of their application infrastructure to take advantage of containers, this company is already using containers almost entirely.
What about security?
As this devops manager and I continued talking, he shifted most of the conversation from infrastructure and operations to security. His company had leveraged various open source tools for short periods to perform some image scanning, but they had never leveraged a tool to continuously scan their registry or deployed a solution to get visibility into their runtime environments. He knew he was “pretty much flying blind”, but had begun feeling pressure from company leadership to provide visibility into the potential risks and needs required to secure their containerized stack. He was curious about:
- Scanning their images to identify high risk issues
- Leveraging a tool that helps to prevent vulnerabilities from making it into production in the first place
- Getting runtime visibility into their various environments
This engineer made it clear, “We’re using containers in production and praying we’re secure, which probably isn’t a winning strategy. If I started using Twistlock, what would be the immediate benefits that my team could implement and begin to build on?”
This question is a good one, and one we get a lot from developers, devops managers, and architects. In the next few sections, I’ll share some details on how we can quickly and effectively help by providing security of the registry, security during the CI / CD process, and visibility at runtime.
Visibility into your registry
First and foremost, Twistlock provides the ability to scan and continuously monitor your registry for vulnerabilities. This vulnerability management capability solves a key problem for our engineer I was chatting with at this event. I didn’t ask what type of registry the company was using, but Twistlock works with any of them! Twistlock easily integrates with any registry used today, continually scans those images for vulnerabilities, and provides detailed findings with risk prioritization.
In the above screenshot of a demo environment, you can see public images I am scanning on Docker Hub. Twistlock will continuously monitor these images to provide vulnerability and compliance status with the ability for you to get granular analysis at a layer-by-layer view of issues in each image.
Integrating security into the CI / CD process
Another key advantage of leveraging Twistlock comes from integrating security and compliance throughout the CI process. In our view, the easiest way to secure cloud native applications is by preventing vulnerable images from making their way through the software development lifecycle (SDLC) in the first place.
Twistlock helps here by integrating with your current build and deploy process. For example, a user can set granular policies to pass or fail a build based on the types of vulnerabilities and compliance issues found before images can be pushed to the registry or deployed to production. One of those policies might look something like this:
In the build for my payment app, block any build impacted by a CVE with a medium or higher CVSS rating and for which a vendor fix is available.
Twistlock provides a standalone Jenkins plugin, as well as the ability to integrate with any other CI tools using twistcli (our command line scanner), so developers can see vulnerability status every time they run a build. In this conversational example I’ve been using for this blog post, the devops lead and his team could work to fix images with the highest vulnerabilities in their environments first, then create policies that ensure that proper vulnerability and compliance and thresholds are set. As they get more familiar with their images and environment, they could leverage our Trusted Images feature to control developer access to a specific registry or even specific images.
Runtime makes prioritization better
While most of this post has focused solely on vulnerability management during the build and in the registry, I want to touch on one of our key differentiators when it comes to runtime: managing risk in running containers and helping teams prioritize efforts to remediate risk in their environments.
Twistlock scans all of the images in the registry, scans images during the build and deploy process, and also continuously monitors any vulnerability changes in your running containers. Twistlock generates a risk score for each of the vulnerabilities we find that are actually running in your environment, taking into account not only risk metrics like CVSS but also a whole host of other metrics. For example:
- Is this container connected to the internet
- Does it have open listening ports
- Does it have a security profile attached
These key factors allows Twistlock to stack rank your vulnerabilities specifically for your environment and let you know where you are most likely to be exploited. This helps to prioritize the mitigation of vulnerabilities for your most vulnerable assets. At the same time, a user can search for any new CVE or security issue in their running environment to know exactly which container is impacted.
In the example above, I’ve shared a screenshot from Twistlock Vulnerability Explorer with the top 10 critical vulnerabilities in my environment. In the first row, I’ve expanded the Risk Tree which allows a user to see the exact image, container name, and name of the host where it is running. The Risk Score includes contextual data about the specific risk to that container alongside Risk Factors that allow teams to better assess the impact of a particular vulnerability in a specific deployment.
A quick recap
The Twistlock Platform provides distinct advantages for enterprises looking to analyze their images for vulnerabilities and compliance issues, integrate security into their current build and deploy process, and remediate risk easily in their running environments. While I touched on our features for vulnerability management and compliance as part of this example, our team would be glad to share other immediate advantages from deploying Twistlock.
I highly recommend our Guide to Modernizing Traditional Security, which tells the story of a Twistlock customer that used a Lift and Shift approach to improve the security of a legacy application.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How My Company (Teckro) Uses ContainersRead the Blog
Mitigating CVE-2019-5736 Impacting RunC and DockerRead the Blog
From Agile to DevSecOps and DevOps SecurityRead the Blog
What’s Next for Cloud-Native Infrastructure Technology?Read the Blog
Cloud Native Security Beyond Your Cloud Vendor’s ToolsRead the Blog