As the number of organizations that are embracing containers continues to increase, so does the number of incumbent cybersecurity vendors extending the reach of their platforms. Trend Micro, as part of that trend, has begun offering a Deep Security Smart Check module to continuously scan container images, which complements an existing Deep Security module for securing container runtimes.
Mark Nunnikhoven, vice president of cloud research for Trend Micro, says Deep Security Smart Check is designed to enable organizations to discover cybersecurity issues in container images before they are deployed, rather than focusing on cybersecurity after the container is deployed.
In addition, recognizing a general DevSecOps shift to the left, Trend Micro is making available an automation center that can be invoked via a suite of application programming interfaces (APIs) to enable continuous delivery, status monitoring, IT service management and integration with orchestration tools, such as the recently launched Amazon Elastic Container Service for Kubernetes.
Nunnikhoven says that containers provide motivation to embrace DevSecOps, shifting responsibility for cybersecurity to developers is occurring at a slow but steady pace. The reason for that has as much to do with technology as it does culture: Developers require access to APIs to embed security functions inside applications, while cybersecurity professionals tend to rely on tools that sport graphical user interfaces (GUIs) that most developers will eschew.
To make matters more challenging, organizations are also struggling to embed security checks within increasingly complex continuous integration/continuous deployment (CI/CD) processes without slowing down the pace at which applications are being deployed and updated, he says.
Nunnikhoven also notes that compliance teams are struggling to understand application development processes based on containers that are much more ephemeral than application code running on traditional virtual machines. In many cases, it’s difficult to ascertain what containers ran where at what time across an extended enterprise consisting of on-premises and public cloud services.
The upside, however, is that applications built using containers tend to be more secure over the long haul, Nunnikhoven says. Because it’s easier to replace functionality by ripping and replacing a set of containers versus trying to patch an entire application, applications built using containers tend to make use of the latest, most secure libraries. Nevertheless, there always will be a need to detect container images based on libraries that have not been updated in a while—the older a piece of code is, the more likely it is it contains a vulnerability that’s been disclosed since it was originally deployed, he notes.
Most cybersecurity professionals, however, have yet to appreciate that cybersecurity aspect of containers. But once they do, it’s not uncommon for many of them to start insisting that all applications be built using containers, says Nunnikhoven.
It still may take a while for application developers and cybersecurity teams to get on the same page when it comes to containers. But as more containers get deployed in production environments, it’s now only a matter of time before cybersecurity professionals come to terms with thousands of containers running across an extended enterprise.