This technical deep dive highlights key capabilities released as part of Twistlock 18.11. To learn more about what’s included with Twistlock 18.11, check out our full release blog post.
Pivotal Application Service, a key part of Pivotal Cloud Foundry, delivers unprecedented application resilience and flexibility. With the ability to quickly and easily deploy your Java, .NET, and node.JS applications, automated security scans are even more vital. So, it is with no small measure of excitement, to announce vulnerability scanning for Pivotal Application Service (PAS) via the Twistlock cloud native cybersecurity platform.*
Twistlock for PAS enables organizations to continuously scan droplets in blobstores for vulnerabilities. Users can easily review and share scan reports across the development, devops, and security, and raise alerts and route them to the right party when the scanner finds issues that violate policy using email, Slack, JIRA, and other alert providers.
Expanding on existing Pivotal support
Twistlock already provides vulnerability and compliance scanning of applications prior to deployment — a requirement that I highly recommend. But, as many new vulnerabilities are discovered every day, it is important to continuously monitor and assess the risk of your deployed applications.
As we mentioned prior to support for PAS, Twistlock supports full lifecycle security for Pivotal Container Service (PKS) which we covered in this blog post. With added support for PAS, Twistlock can secure the entirety of your applications on PCF.
Droplets and blobstores explained
A droplet is the Cloud Foundry unit of execution. Once an application is pushed to Cloud Foundry and deployed using a buildpack, the result is a droplet. Those droplets are stored in blob storage for further deployment processes. You can think of a droplet as an application and a blobstore as a grouping of applications. This comparison is roughly equivalent to Docker images stored in Docker repositories.
Setting up Twistlock to scan a blobstore
Installing the Twistlock Tile into PCF
Assuming you already have Twistlock installed and stood up, you simply import the Twistlock PCF tile using the PCF OpsManager Dashboard. There are two ways to accomplish this:
Choice 1: In PCF OpsManager, on the bottom left, click on “Pivotal Network”, and then search for “Twistlock” and choose “Twistlock for PCF” from partner services.
Choice 2: In PCF OpsManager, choose import a product. The Twistlock PCF tile can be found where you installed the Twistlock platform at:
Twistlock Tile configuration
To simplify the configuration of the Twistlock Tile, the Twistlock Platform provides a script which you can obtain from your Twistlock Console at Manage > Defenders > Deploy. This script will be utilized in the PCF OpsManager to configure your Twistlock Tile, so copy it into your paste buffer.
In PCF OpsManager, click on the Twistlock Tile to configure it as follows:
Fill in each field appropriately; in Twistlock Component Configuration, enter the install script you copied from the Twistlock Console.
Configure Twistlock to scan one or more blobstores
To setup blobstore scanning, navigate to Defend > Vulnerabilities > PCF Blobstore and add a PCF Blobstore by specifying your cloud controller and droplets to scan; wildcards are acceptable.
After just a few minutes, your blobstore scan reports will be available at Monitor > Vulnerabilities > PCF Blobstore, which you can see in the following screenshot:
You can dive deeper into any scan report by clicking anywhere on the report line, as well as view included risk factors such as whether or not an exploit exists, attack vector information, and more. When additional risk factors are present, risk increases for that particular droplet. Additionally, the application scan report includes a complete bill of materials for all the binaries in the tile-based application via the Package Info tab.
Pivotal Application Service enables fast, scalable, and highly available cloud native application deployments. Twistlock adds security scan support for your PCF droplets including easy sharing of reports along with multiple methods for alerting the proper personnel when risky components are present in your droplets.
Fast, easy, and secure!
*Pivotal Application Service support is currently in beta.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Five Best Practices for API SecurityRead the Blog
When On-Premise Serverless Beats the CloudRead the Blog
Kubernetes AuditSink: Real-time K8s Audits and ForensicsRead the Blog
Native Helm Charts for Frictionless Kubernetes DeploymentsRead the Blog
How Knative Can Unite Kubernetes and ServerlessRead the Blog