Qualys at the DockerCon 2018 conference this week unfurled Qualys Container Security (CS), a cloud-based application that promises to make it easier to embed container security controls into DevOps processes.
Hari Srinivasan, director of product management for cloud and virtualization security, says Qualys CS is designed to extend the cloud services the company developed for other platforms into the realm of containers. Most organizations today don’t want to deploy separate frameworks for container security. The Qualys approach is to leverage the cloud to provide a single framework that can be applied across multiple platforms and types of applications, he says.
Qualys CS provides inventory and real-time tracking of changes to containers deployed across on-premises and cloud computing environments, including detection of vulnerabilities and level of compliance across image registries, containers and the hosts they run on.
Cybersecurity, Srinivasan says, starts with visibility. Qualys CS enables cybersecurity teams to discover container hosts wherever they are located on-premises or in clouds. As part of the process, Qualys CS also gathers topographic information about images, image registries and containers spun from those images. IT security teams can then use that intelligence to enforce policies to block the use of images that have specific vulnerabilities, or that have vulnerabilities above a certain severity threshold.
IT security teams also can search for images with high-severity vulnerabilities, unapproved packages and tags that are out of date, older or test release tags. Qualys CS can be used to determine the potential severity those images might have on the organization’s security posture and even determine if these images are cached on different hosts, including all the containers that might be exposed on vulnerable network ports running with privileges. IT security teams can also drill down to see how vulnerabilities in the host might impact cybersecurity.
Qualys CS also makes it possible to detect runtime security and configuration drift that is different from any original parent image. Policy-based orchestration tools would then prevent those images from being spun up on a Kubernetes cluster.
Finally, developers can also engage in continuous vulnerability detection and remediation by making use of plugins for continuous integration/continuous deployment (CI/CD) platforms such as Jenkins or Bamboo or invoking REST application programming interfaces (APIs), Srinivasan says.
As responsibility for cybersecurity invariably moves further to the left, developers and IT security teams need to find ways to more efficiently collaborate, he says. Developers are taking more responsibility for securing applications, but there is still a need to continuously monitor the cybersecurity defenses once those applications are deployed in a production environment.
The good news, Srinivasan adds, is the applications that are being built using containers are not only more secure, they also are much easier to fix if there is an issue—instead of having to patch the entire application, developers can simply rip and replace a few containers.
It not clear to what degree the transition to containers will have on legacy cybersecurity infrastructure. But what is for certain is that it’s now only a matter of time before cybersecurity professionals start insisting applications are built using containers.