IT organizations that have embraced Pivotal Cloud Foundry (PCF) now can download container security software from Aqua Security to scan containers running on the platform-as-a-service (PaaS) environment for vulnerabilities.
Now generally available on the Pivotal Network, Aqua Security for PCF automatically scan application or container artifacts for known vulnerabilities based on a security intelligence feeds continuously updated by Aqua Security. Pre-configured policies can be applied to make sure, for example, that no secrets have been hard-coded into any application deployed on the PaaS.
While Kubernetes has emerged as the fastest growing platform for deploying containers, many existing containers have been deployed on top of existing PaaS environments such as Cloud Foundry. The Cloud Foundry PaaS is the most widely employed instance of the PaaS in the enterprise.
Upesh Patel, vice president of business development for Aqua Security, says most organizations will need to secure containers running in multiple types of runtime environments that will include PaaS environments, virtual machines and bare-metal servers. The company is in the process of establishing partnerships with vendors in all these areas to make it possible to apply security policies consistently wherever containers are deployed.
Aqua Security supports more than 40 languages, including Java, Go, C++, Python, Ruby and Node.js, as well as static binaries. DevOps teams also can integrate Aqua Security with their existing continuous integration/continuous development (CI/CD) tools for security testing, Active Directory/LDAP for user authentication and security information and event management (SIEM) platform to generate alerts and conduct audits.
In general, Patel notes that most organizations are still in the early stages of implementing DevSecOps processes. While many organizations are far down the path when it comes to DevOps, cybersecurity professionals by and large still don’t know what it means to shift more responsibility left on to the shoulders of developers. Developers, meanwhile, are still coming up to speed on how to embed code in their applications based on best cybersecurity practices. But as use of containers in production environments grows, cybersecurity policies are being embedded within applications as code. The dynamic nature of container environments requires a programmatic approach to securing an IT environment, where the time it takes to create and deploy containers is measured in seconds.
However, that doesn’t mean cybersecurity professionals don’t have a critical role to play. Beyond defining the cybersecurity policies that developers need to implement, there always will be new vulnerabilities discovered after a container is deployed in a production environment. Sound DevSecOps processes will make it possible to create a closed-loop system through which developers will be able to remediate cybersecurity issues in minutes based on alerts passed on by cybersecurity teams that identify new and emerging threats. In addition, cybersecurity teams will need to monitor IT environments for outdated modules of code containing vulnerabilities that may have been inadvertently deployed.
In the meantime, the race is on to put the tools required to create that closed-loop approach to cybersecurity, at a time when IT security professionals are once again playing catch-up with an emerging technology.