Sysdig Allies With Snyk to Improve Container Security

Sysdig and Snyk are integrating their respective security technologies to enable organizations to better secure the entire container life cycle.

Eric Carter, director of product marketing for Sysdig, says the integration of Sysdig Secure with Snyk Container will make it simpler to remediate vulnerabilities in containers that are discovered by the Sysdig platform.

Sysdig Secure is a container intelligence platform that unifies both monitoring and enforcement of security policies using open source Falco software for securing container runtimes. Falco was developed by Sysdig and currently is a sandbox project within the Cloud Native Computing Foundation (CNCF). Sysdig Secure also includes a Kubernetes Policy Advisor to help organizations define cybersecurity policies; Falco Tuning, which optimizes an open source container security runtime and Activity Audit, an incident response and auditing tool.

Jim Armstrong, senior product manager for Snyk, says the intelligence collected by Sysdig Secure can now be passed on to Snyk Container, a software-as-a-service (SaaS) application that scans for vulnerabilities in containers. Sysdig provides the context Snyk users need to pinpoint exploitable packages active in production applications, he adds.

The goal is to make it easier for developers to identify vulnerabilities present in containers as well as their severity as part of an effort to shift more responsibility for cybersecurity further left. Scanning for vulnerabilities has become more challenging as the number of containers employed increases. Many of those containers may only run for a few minutes, but, as it turns out, they often inadvertently encapsulate vulnerabilities.

In fact, a recent report published by Sysdig finds 85% of the container images running in production environments contain at least one vulnerability. Three-quarters of those vulnerabilities (75%) are rated as “high” or “critical,” according to the report. The challenge is that while there may be many vulnerabilities in those containers, developers only have a limited amount of time to devote to remediation. As such, they need to be able to prioritize remediation efforts based on the potential severity of the vulnerability.

It’s not clear to what degree responsibility for application security is shifting left toward developers. It tends to vary from one organization to another. However, more organizations are implementing DevSecOps best practices as part of an effort to better secure software supply chains. Most of the new applications being built and deployed are now based on microservices constructed using containers. As such, organizations are looking to automate as much of the container vulnerability remediation process as possible.

In the longer term, most container applications will likely prove to be more secure than their monolithic application predecessors. It’s easier to rip and replace a vulnerable container than it is to patch a monolithic application. In fact, known vulnerabilities in monolithic applications are sometimes not remediated at all; the process itself takes developers away from writing additional code that drives additional features within their applications.

Of course, the paradox is that the more code that is written the greater the potential for vulnerabilities that might be exploited by cybercriminals. The challenge now is finding a way to enable developers to write more secure code without slowing down the pace at which those applications are being built and deployed.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1612 posts and counting. See all posts by Mike Vizard