Containers are great and provide organizations with the platform and tools necessary to develop and deploy applications more efficiently than traditional software applications or virtual machines. Containers also have the potential to exponentially increase your exposure to vulnerabilities and risk. Tenable Network Security just released a new version of Nessus that can help you monitor and manage vulnerabilities in your Docker environment.
Security has been a growing concern when it comes to Docker—and containers in general—for the past year or so. There have been a variety of alternate container platforms introduced that are designed to be more secure, and Docker itself has taken steps to make its own containers more secure.
Despite the progress being made, container security is still an issue, though. One primary concern is that the container ecosystem tends to be volatile—so it’s a challenge just to keep up with the containers that are active in your environment at any given time. Beyond that, you still need to be able to identify and remediate vulnerabilities in the containers that might expose your network or data to risk.
Nessus is the de facto leader when it comes to vulnerability management. It has been around for nearly 20 years and is perennially ranked in the top 5 of the SecTools.org list of top network security tools. The latest release—Nessus 6.6—adds Docker auditing to the mix so you can effectively monitor and protect your Docker container ecosystem. A Tenable blog post explains, “Users need to take additional steps to lock down the kernel, reduce the attack surface of the docker daemon and harden the container configuration to have a truly secure setup.”
Nessus 6.6 includes a Docker Service Detection plugin that can detect Docker installs and enumerate all of the active containers on a given Docker host. Tenable also notes that the containers share the kernel with host OS, which means that any kernel-level vulnerabilities are magnified across all of the containers. According to Tenable, a credentials patch audit of the Docker host can help identify existing vulnerabilities so you can properly address them.
In addition, Nessus 6.6 includes support for the Docker benchmark from the Center for Internet Security (CIS). Nessus can audit your Docker environment against the CIS benchmark to identify areas where your Docker security falls short.
Finally, Nessus 6.6 can also audit the configuration of the Docker containers themselves. The Tenable blog explains, “Just select an audit and run a scan against the Docker host, and Nessus will automatically identify applicable containers and audit the configuration of those containers.”
Docker is one of the most respected and widely-used container platforms, and Nessus is one of the most respected and widely-used vulnerability scanning solutions. Combining the two enables organizations to take advantage of the agility and efficiency of Docker containers with the security, confidence and peace of mind provided by Nessus. It also means that security of your Docker container environment can be monitored and managed as a part of a more comprehensive network security strategy rather than as a separate thing unto itself.
Tenable’s Mehul Revankar wraps up with, “Yesterday it was virtualization, today it is containerization, and tomorrow it will be something else. Tenable will adapt, evolve and align with your needs as new technologies come online. Support for auditing Docker is just one more new technology that we have added to your arsenal.”