NeuVector today announced it has added a Vulnerability and Compliance Explorer tool to make it easier to prioritize remediation efforts to further advance the adoption of best DevSecOps processes.
Glen Kosaka, vice president of product management and marketing for NeuVector, says that as responsibility for cybersecurity continues to shift left toward developers, the need for tools that make it easier to prioritize cybersecurity and compliance remediation efforts is becoming more acute.
The Vulnerability and Compliance Explorer tool, provided as an extension of the NeuVector container security platform, makes it easier for DevSecOps teams to assess the current state of container security by identifying assets, scanning registries and generating reports. Teams can then prioritize which images, nodes or containers require immediate attention in addition to determining where compliance issues might have arisen, says Kosaka.
The Vulnerability and Compliance Explorer tool also supports a virtual patching capability the company makes available as part of its platform. DevSecOps teams can virtually patch vulnerabilities by whitelisting all authorized application container behavior, such as network connections, processes and file activity, by either using NeuVector behavioral learning processes or programmatically applying security policy as code. That capability is especially critical if no patch for the vulnerability that needs to be addressed has been made readily available, notes Kosaka.
Any attempted exploit of a workload or host protected by NeuVector is detected and blocked, with an alert also being generated to the DevSecOps team, adds Kosaka.
Other new capabilities added to the core NeuVector container security platform include the ability to scan large container images in parallel across thousands of images and the ability to protect container hosts in a way that detects privilege escalations as well as known suspicious processes.
Despite increased awareness and appreciation for DevSecOps, Kosaka says not enough progress will be made until teams are given the tools needed to support the DevSecOps processes that are being defined by the IT organization. In the absence of tools that are readily accessible, the conversation surrounding DevSecOps can quickly dissolve into a series of aspirations that are never realized, he says.
Of course, one of the strengths of containers is that they make it much easier to rip and replace modules of code that might for one reason or another have incorporated a vulnerability. The challenge is determining which containers out of thousands might have a specific known vulnerability. As such, cybersecurity can be difficult to maintain and achieve, as hundreds of containers are moved in and out of applications. Cybersecurity teams might not even know about a vulnerability because the container in which it resided might have been replaced before they ever knew the vulnerability existed.
Naturally, it may take some cybersecurity teams a while to get used to losing what they perceive as a level of control over application environments. However, given the current state of application security, it’s also clear that the current processes being relied on to maintain security are simply not working to anyone’s satisfaction.