At a Gartner Security and Risk Management conference today, Qualys announced it has extended its continuous monitoring service to support Docker containers.
Qualys developed a container sensor that can be distributed as a Docker image to make it simpler for IT organizations to incorporate ongoing security and compliance processes within the context of a continuous integration/continuous deployment (CI/CD) environment, says Hari Srinivasan, director of product management. To achieve that goal, Qualys has exposed a REST API that DevOps teams can invoke. The container sensor is expected to be available in beta in Q3 and generally available in Q4.
Srinivasan notes that achieving compliance and maintaining security is more challenging than ever, given the ephemeral nature of containers. Not only are Docker containers being developed rapidly, but they are replaced every time a developer wants to add new functionality. Each new deployment, however, brings with it a raft of potential configuration and potential software vulnerabilities. Because of that issue, Srinivasan says, Qualys developed a new type of sensor designed specifically for containers to complement its existing portfolio of virtual appliance software.
Rather than having to acquire and master two separate sets of tools, the Qualys service can be invoked within the context of a larger approach to DevSecOps. In fact, Srinivasan says one of the company’s major differentiators now is that the same service can be employed to monitor both virtual machines and containers. Within the context of a container environment, Qualys provides scanning of images, registries and containers in addition to the underlying host operating system. That approach makes it easier for IT security teams to pinpoint issues at a time when developers are bundling various types of software infrastructure inside a container that usually gets deployed on a lightweight operating system.
The Qualys service provides a detailed inventory of the environment that can be discovered using a metadata search tool to identify assets based on multiple attributes. Qualys also provides a topology view to visualize specific types of container assets and their relationships to one another.
One of the bigger issues that many organizations are now wrestling with is to what degree developers want to be part of the DevSecOps process. In some organizations developers are now charged with being responsible for a microservice based on containers end to end, which includes securing it and any associated compliance issues. In other organizations, a more traditional separation of duties continues to exist between developers who build applications and IT security teams responsible for ensuring their security. To be sure, developers are working more closely than ever with those IT security teams. At least for now, however, the decision concerning what monitoring tools to employ more often resides with the IT security team than the developer—although the latter most certainly can exercise a lot of influences.