As more organizations shift the responsibility for securing application code onto the shoulders of DevOps teams, a need has arisen to more tightly integrate container cybersecurity with continuous integration/continuous deployment (CI/CD) platforms. To address that requirement, Aqua Security has added a plug-in for the Jenkins CI/CD platform to Aqua MicroScanner, its free vulnerability scanner for Docker container images.
Support for Jenkins is intended to facilitate a shift to the left occurring as part of larger DevSecOps trends that is transforming how organizations secure applications in the age of containers, says Aqua CTO Amir Jerbi. Aqua MicroScanner embeds an executable and additional step when creating a container using Dockerfile, which then triggers a scan during the image build. That scan generates a report of the vulnerabilities found and suggests remediations. DevOps teams can choose to automatically fail a build when high-severity vulnerabilities are found. Integration with Jenkins makes it easier for DevOps teams to apply those cybersecurity checks across an entire application development pipeline, he says.
Jerbi notes the biggest cybersecurity issues associated with using containers doesn’t stem from the core container technology itself, but rather from the code developers encapsulate in those containers. Aqua MicroScanner checks operating system packages in Docker images for known vulnerabilities based on multiple aggregated sources, including the National Vulnerability Database (NVD) in the United States, vendor security advisories and information from software developers themselves. The Aqua Security Research Team further compares and resolves the results to keep track of any updates or differences, and to eliminate false positives.
When it comes to containerized application security, Jerbi says education remains the biggest hurdle. Initial concerns regarding application isolation have been largely addressed, he says, contending that containerized applications are more secure than legacy applications because it’s much easier to replace containers when there is an issue than to patch an entire monolithic application.
IT organizations should think of containers as adding yet another layer of security to their applications, he says, adding not enough attention is being paid to the benefits of the the container runtime environment from a cybersecurity perspective. Each runtime is part of a larger, well-defined microservice such that any deviation from the communications paths clearly denotes a breach, Jerbi notes.
Increased reliance on containers is clearly driving more organizations to embrace DevOps processes to bring order to what might be a chaotic process. Those processes are now being extended to include cybersecurity reviews of applications before they get deployed in a production environment. In fact, developers for the first time have an effective means to address cybersecurity issues in a way that doesn’t slow down the rate at which applications are being built.
It may take a while longer for DevSecOps to become the dominant model most organizations employ to build applications. But at this juncture, it’s more a matter of when rather than if DevSecOps becomes the way most modern application are built, deployed and secured.