NeuVector today announced it has added a configuration posture management and deployment assessment tool for Kubernetes resources to its namesake container security platform.
Glen Kosaka, vice president of product management for NeuVector, says this scanning tool enables IT and security teams to immediately identify compliance issues within Kubernetes resources and then automatically apply admission control policies. Scan results evaluate YAML files against built-in best practices for secure deployments and/or against custom admission control rules that have been created by an internal IT team.
The goal is to improve cloud security posture management (CSPM) by making it easier to identify and prevent misconfigurations of Kubernetes resources that, given the inherent complexity of the platform, tend to occur with greater frequency than in legacy IT environments, notes Kosaka.
The addition of this tool also enables DevOps teams to build configuration management directly into their pipeline via a four-step process that can drive DevSecOps best practices. They can first assess a continuous integration/continuous delivery (CI/CD) pipeline for vulnerabilities within container images and deployment files.
They can also prevent unauthorized deployments using admission controls based on Kubernetes resource scans, including continuous audits of the host, orchestrator and container configurations. In addition, DevOps teams can automate and enforce runtime security policies with a zero-trust model that relies on security policy-as-code attached to custom resource definitions (CRDs) to block all unauthorized network, process and file activity.
Finally, they can generate alerts and reports to analyze security events based on forensic data captured and on the issues discovered by the platform.
Collectively, those capabilities ensure that DevOps teams can continually maintain compliance with a wide range of mandates using this scanning tool in collaboration with existing capabilities that include Center for Internet Security (CIS) benchmarks, custom compliance checks, secrets detection and serverless permissions auditing.
In the wake of a series of high-profile cybersecurity breaches, many organizations are now reviewing their software supply chain processes. The percentage of Kubernetes-based applications deployed in production environments is still relatively small. However, many of the new applications organizations are developing are based on microservices destined to be deployed on Kubernetes clusters. NeuVector is making a case for an approach to CSPM that is based on a platform that natively integrates with a Kubernetes environment to ensure those applications are secure.
It’s not clear to what degree organizations are adopting DevSecOps best practices across the entire software development life cycle. However, it’s a lot easier to implement those practices during the early stages of an application development project than it is to graft them onto an application development project that is continuously updating an existing application.
There is a unique opportunity to build and deploy cloud-native applications that are inherently more secure than previous generations of monolithic applications. In addition to shifting more responsibility for application security further left toward developers, this opportunity requires increased collaboration between security and DevOps teams that today, unfortunately, often have competing priorities. DevOps teams, as a general rule, are trying to deploy applications as quickly as possible. The issue they often encounter is that the application gets rejected at the last possible minute because it violates one compliance policy or another. The time to discover that issue was, of course, several months earlier when the application was first being built rather than after its initial deployment.