Veracode Adds Container Support to Security Tool for Developers

Veracode is launching an early access program through which it is adding support for containers to its Continuous Software Security Platform.

Brian Roche, chief product officer for Veracode, says this offering will make it possible to push responsibility for container security as far left as possible. The offering embeds vulnerability scanning, secure configuration and secrets management capabilities within the continuous integration/continuous delivery (CI/CD) pipeline, he says.

The goal is to make it possible for developers to discover and remediate container security issues as they build images, he notes. That approach eliminates issues before containers are ever deployed in a production environment, Roche adds.

The Continuous Software Security Platform is designed to offer remediation advice to developers early in the software development life cycle. However, as developers continue to gain confidence in those recommendations, many will simply trust the platform to replace flawed containers with images that have been automatically hardened on their behalf, says Roche.

Most developers don’t have a lot of cybersecurity expertise, so they would prefer to have access to tools that automatically remediate security issues in a way they can understand. Most of their focus, however, is always going to be on writing code to add new capabilities rather than manually inspecting every container image for potential security flaws, adds Roche.

Far too many developers today still assume that because a container only runs for a few seconds, a cybercriminal will not have the time to discover and exploit it. Cybercriminals, however, are now continuously scanning for container vulnerabilities within software supply chains. In fact, the presence of containers indicates to them that an advanced application representing a valuable target has been deployed.

The Veracode Continuous Software Security Platform supports a variety of formats, including text and JavaScript Object Notation (JSON) to make it easier for developers to identify issues, in addition to formats such as CycloneDX, Software Identification Tagging (SWID) and Software Packaging Data Exchange (SPDX) for generating software bills of materials (SBOMs).

Given the rate at which containers are ripped and replaced, the ability to dynamically track what components are included in a container image is crucial any time a new zero-day vulnerability is discovered. The Continuous Software Security Platform makes it simpler to identify which container images need to be replaced in the event a vulnerability suddenly appears, says Roche.

It’s not clear to what degree remediating vulnerabilities early in the application development life cycle will have on the overall state of cybersecurity. As long as humans are involved in building applications, however, there will still likely be mistakes made. As such, IT organizations would be well-advised to continue to secure container runtime environments. However, the number of instances where container runtimes are the cybersecurity ‘last resort’ should decline as the number of container images with potential issues declines.

It may take time before every developer has access to tools that automatically discover and remediate cybersecurity issues, but as these tools become more widely employed, cybersecurity professionals should be able to breathe easier.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1612 posts and counting. See all posts by Mike Vizard