The Twistlock for Pivotal Cloud FoundryⓇ(PCF) tile is now generally available . Customers are running our tile in their production environments. Get the Twistlock for PCF tile from the Pivotal Network to try it out.
Scanning for applications and container artifacts
Through our tile for PCF, the Twistlock Cloud Native Cybersecurity Platform provides full lifecycle security for containerized environments and cloud-native applications running on the PCF platform. Applications and container artifacts, as they are deployed to the platform, are continuously scanned for vulnerabilities and scan reports can be shared and reviewed across development, DevOps, and security teams. Teams can set up alerts and route them to the right party on the right channel (email, Slack, PagerDuty, JIRA, and others) when the scanner finds issues that violate policy. These real-time alerts ensure that you’re up to speed on your exposure and can devise timely plans to mitigate critical issues.
PCF architecture overview
As a review, PCF is a unified, multi-cloud platform that runs enterprise applications on your infrastructure of choice, abstracting details of the underlying infrastructure such as storage, networking, and hosts.
The PCF platform offers development teams multiple levels of abstraction. Teams can run an existing containerized workload on Pivotal Container Service® (PKS) for container orchestration that provides a scalable enterprise Kubernetes environment, or, simply push their code (Java, .NET, Node.js etc.) to Pivotal Application Service® (PAS), where the platform automates the container-build to deploy the application instance onto the cloud platform via a construct called “droplet”.
Droplets are archives that contain ready to run applications. Droplets contain the OS stack, a buildpack (which contains the languages, runtimes, libraries, and services used by the app), and custom app code. Before running an app on your infrastructure, the Cloud Controller stages it for delivery by combining the OS stack, buildpack, and source code into a droplet, then storing the droplet in a blobstore. If you’re familiar with Docker, droplets are comparable to container images and blobstores to container registries.
Establishing security gates at key junctures in your deployment pipeline helps control your exposure to risk. Twistlock’s command-line scanning tool, twistcli, is PCF-enabled and can be quickly integrated into your CI/CD pipeline as a build step. Twistcli can scan droplets (in addition to Docker/OCI images and serverless functions), and pass or fail builds based on the results. This surfaces vulnerabilities that violate your security team’s policy early in the process, when it’s easier to address and impossible to exploit.
Regardless of whether your application is deployed on PAS or PKS, Twistlock Defender can be deployed to secure your applications and containers at runtime. Twistlock Defender provides visibility into what an app is doing at runtime and gives you a point of control when something suspicious happens. Twistlock’s RASP Defender can be embedded directly into your PAS apps. If you’re deploying your app to PKS, simply deploy Twistlock Defender as a DaemonSet. On PKS, Twistlock can monitor and control your apps externally, so there’s no need to embed anything into it.
With the Twistlock for PCF tile now generally available, you can leverage Twistlock’s powerful capabilities to surface vulnerabilities that can pose a real threat to your organization. This capability is a great complement to our support for securing hosts (VMs, cloud, physical), containers, Kubernetes, and serverless functions.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How to Lock Down the Kernel to Secure the Container HostRead the Blog
One Chapter Ends, Another BeginsRead the Blog
The Greatest Security Risks Lurking in Your CI/CD PipelineRead the Blog
Cloud Platform Radar: Powerful Cloud Asset IdentificationRead the Blog
Securing Serverless Functions: Visibility with Serverless RadarRead the Blog