As an early pioneer in the development of a security framework optimized for containers, Twistlock has been at the forefront of securing emerging technology platforms. Now the company is extending that security framework to support serverless computing frameworks such as AWS Lambda, Google Cloud Functions and Azure Functions.
The first instance of Twistlock’s security capabilities for serverless frameworks is manifesting in the form of a private beta of Twistlock Vulnerability Explorer. General availability of those capabilities is expected this fall.
Twistlock CTO John Morello says the leap from securing containers to also securing serverless computing frameworks is not all that large. It essentially means adding support for another layer of abstraction for frameworks that generally make use of event-driven architectures based on microservices developed using containers, says Morello.
By extending support to serverless computing frameworks, Morello says it will become easier for IT organizations to unify DevSecOps management at a time when they increasingly will invoke serverless computing frameworks in the cloud alongside lower-level instances of containers deployed on-premises and in the cloud.
Twistlock’s core product portfolio also includes Twistlock Trust, a set of capabilities that manages container vulnerabilities and enforces compliance practices, and Twistlock Runtime Radar, a collection of runtime functions that provides behavior analytics around containerized applications and helps defend against zero-day threats in the production environment. By extending those capabilities into the realm of serverless computing framework, Morello says IT organizations now can employ a common framework to gain security visibility into multiple classes of microservices-based applications.
IT security professionals should expect to rely more on machine-learning algorithms as IT security continues to evolve, Morello says. With the rise of containers and serverless computing frameworks, the rate of change within IT environments is moving well past the ability of an IT security team to manually keep pace, he notes. The challenge now is to make sure security frameworks that automate as much of the security process as possible are embedded into continuous integration (CI) frameworks such as Jenkins. Twistlock will be demonstrating that capability at the Jenkins World 2017 conference next week.
Because adoption of containers and serverless computing frameworks is being led largely by developers, many IT security professionals find themselves playing catchup when it comes to securing microservices. As the volume of microservices increases, there’s more of an imperative to make developers more accountable for security by requiring them to focus more on security issues during the development of the application. And, instead of issuing patches for vulnerabilities after an application is deployed in production, using containers developers can more easily remediate issues by swapping out one set of containers for another.
Of course, getting developers to focus more on security has been an IT goal for as long as most anyone can remember. What’s changing now is the rise of microservices is finally forcing the issue.