Twistlock announced the availability of an advanced container security solution that can analyze containers stored in Docker hub as well as containers stored in alternative storage solutions. Twistlock Runtime is able to analyze the container images by building lists of expected behaviors for the images, then scanning the containers as they are running, analyzing them and comparing them against expected behavior patterns.
It’s been a big week for container security. Just Tuesday, Docker announced the availability of Docker Security Scanner (DSS) for users of Docker Private Repositories. However, Twistlock Runtime has some key differences from the Docker solution. For most users, the differences are profound enough that using both is worth considering. For organizations that store their container images outside of Docker Hub, this makes even more sense.
Customers use Docker Hub as one of the places to store images, but many also have their own registries, including JFrog Artifactory, Google Cloud Platform and Amazon Web Services (AWS) container registry services. TwistLock can scan against the containers that are stored in all of those locations, where DSS does not.
Twistlock Runtime does share some similarities with DSS. Both begin their security analysis on the images, creating a manifest of sorts. DSS builds a Bill of Materials (BoM) that contains a list of frameworks and libraries used by the application; Twistlock goes deeper into the analysis, creating a DNA profile of the container. The DSS Bill of Materials is checked against a database of security vulnerabilities and can report on the vulnerability status of the application. The DNA profile used by Twistlock is used as a set of rules when scanning the containers as they are run and looks at a wide range of behaviors to identify anomalies and threats.
These behavior patterns can recognize anomalous processes activity, identifying the creation of processes that it shouldn’t need, system calls that the container shouldn’t be making, network activity that is outside of what’s expected, and file level access by seeing which files are being written to.
Twistlock Runtime is available now and is part of the Twistlock platform. Developers or small teams that are interested in trying it can use the Developer Edition, which is completely free but comes with limitations on the number of repositories and hosts it connects to, and it has only community-based support. Upgrading to Enterprise licenses is the way to go for more organizations that are further along, and it includes full support and unlimited and containers.