At Twistlock, we have continually discussed the need to manage and prioritize risk in containerized applications. Pipeline management is certainly a challenge for today’s enterprises–especially when they potentially have 100,000 images and containers being used by hundreds or thousands of developers. Enterprises want to ensure that they are deploying secure applications without known vulnerabilities in a scalable, repeatable way that doesn’t impact developer workflows.
The impact of vulnerabilities and the need for image scanning
According to Forrester, “Vulnerabilities remain a top concern for security decision makers: 35% of global security decision makers who experienced an external breach said that it occurred due to software vulnerabilities.”1
Security personnel don’t have to look far to see how damaging a breach can be–that’s why container image scanning is a key step to identifying vulnerabilities early in the application lifecycle and preventing vulnerabilities from progressing to the registry or being deployed in production.
In the Forrester Now Tech: Software Composition Analysis, Q1 2019 report, Forrester identifies solutions that can scan code, provide a bill of materials, and identify open source licenses. While the software composition analysis (SCA) market covers a range of uses cases, languages, and integration points, Twistlock was cited in the report for primary functionality in SCA-adjacent container security, which is noted for the ability to scan at-rest containers for vulnerabilities.
SCA and containers: Pipeline security benefits — Twistlock’s view
Scanning images for vulnerabilities when code is built is essential: Shifting security left, by scanning during the image build, allows organizations to reduce costs and improve code quality compared to only scanning running container images in production.
Quality gates provide an automated control mechanism to secure modern software delivery pipelines: Once organizations build a repeatable CI process and integrate image scanning, they can further enhance their workflows by enforcing what images can progress to the registry and potentially be deploying into running production environments. Security teams should be able to create policies that fails builds that don’t meet desired policies. For example, in the build for a payment app, block any build impacted by a CVE with a medium or higher CVSS rating and for which a vendor fix is available. This ensure that only images that pass your security requirements are signed and pushed to your registry.
Security teams can assist developers by providing access to secure, trusted images and registries: Within Twistlock, we offer security and infrastructure architects the ability to leverage Trusted Images or Trusted Registries that isolate a specific image, base layer, or set of images correlated to specific hosts or user groups. This allows infrastructure architects or security professionals to prevent unwanted, insecure images, such as those from a public repository, from entering production environments. Developers can begin building and updating their images from a trusted set of building blocks.
Cloud native security requirements outside of SCA
At Twistlock, we believe cloud native applications span VMs, containers, and serverless technologies–requiring a full stack, full lifecycle approach to security. A modern security approach integrates security with the build process, at the registry, and in production environments. Security focuses on both building and deploying secure applications, while also protecting those cloud native applications at runtime with defense-in-depth.
Learn more about the container security market
At the end of last year, Forrester published its Now Tech: Container Security, Q4 2018 report that looks at trends in container adoption, core security requirements for securing containers, and an overview of the container security market landscape. Forrester recognizes Twistlock as a Container Security Platform based on required capabilities.2
The report is available for download here.
1. Forrester Now Tech: Software Composition Analysis Q1, 2019, Forrester Research, Inc. 24 January 2019.
2. Forrester Now Tech: Container Security, Q4 2018, Forrester Research, Inc., 3 October 2018.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.