Tripwire has extended a set of DevOps tools for managing and securing applications based on containers to include a Docker container configuration assessment capability.
Tim Erlin, vice president of product management and strategy for Tripwire, says this latest capability being added to the Tripwire for DevOps portfolio will make it easier for organizations to leverage a set of software-as-a-service (SaaS) tools to enable organizations to secure containers as part of an integrated DevOps process for building and deploying containerized applications. Those existing Tripwire services scan container images and container registries for vulnerabilities.
Tripwire is making the case for managing container security as an extension of the security and compliance tools it already provides. Rather then requiring organizations to acquire and master an entirely separate set of tools, Tripwire contends most organizations will need to ensure security and compliance across both existing legacy applications as well as emerging cloud-native applications based on containers.
To further that latter end, Tripwire for DevOps has been integrated with Jenkins and TeamCity continuous integration/continuous development (CI/CD) tools and is compatible with all Docker v2 repositories. There’s also a REST application programming interface (API) and command line interface for DevOps engineers to write custom integrations.
Erlin says configuration assessment has proved to be especially problematic because cyber criminals have become especially adept at looking for misconfigurations they can exploit. In fact, the primary root cause of most cloud security issues is attributable to one degree or another to a configuration issue. Tripwire is now trying to make container configuration assessment a security gate within any DevOps process, he notes, noting that establishing those gates is a critical element of extending those processes into the realm of DevSecOps. In fact, Erlin says instituting those processes is much simpler when the tools required are made available as a set of SaaS applications that can be accessed from anywhere.
Unfortunately, most adoption of DevSecOps processes is nascent at best. A report published earlier this year by Tripwire notes almost two-thirds of the organizations admit they do not use hardening benchmarks, such as the Center for Internet Security (CIS) or Defense Information Systems Agency (DISA) guidelines, to even establish a cybersecurity baseline.
Of course, the rate at which IT organizations are adopting containers may soon more the DevSecOps issue. Existing cybersecurity tools are a lot more focused on trying to secure IT environments after an application has been deployed. The rate at which containerized applications are deployed and updated far exceeds the capabilities of most cybersecurity teams to keep pace. To compensate for that issue without slowing down the rate at which applications are developed and deployed, many organizations will need to shift responsibility for implementing security and compliance controls on to the shoulders of developers. Those developers, however, still need to be educated on what controls need to be implemented when.
Naturally, it’s going to take a while for most organizations to make that transition. But given all that’s at stake, making that shift has become an absolute requirement.