As part of a bid to embed DevSecOps and compliance into the earliest stages of the Docker image build process, Tripwire is making available a Container Analyzer Service under an early access program.
Gabe Authier, senior product manager at Tripwire, says the new service is a natural extension of the vulnerability discovery and management tools the company has historically provided. The Container Analyzer Service is designed to discover configuration and vulnerability issues online and offline and can be accessed either via a graphical user interface or application programming interface (API).
Thanks to that API, support the Tripwire Container Analyzer Service can be integrated with various continuous integration (CI) and continuous deployment (CD) platforms to scan for vulnerabilities during multiple points in the overall application development process, notes Authier. For example, Tripwire also provides integration with the DevOps toolchain for initiating scans, securing the build pipeline infrastructure and monitoring for changes throughout the continuous deployment life cycle.
That includes the ability to scan container registries and layer monitoring and policy controls on top of that core capability, adds Authier.
Achieving and maintaining compliance in containers can be a complex endeavor. Containers are frequently replaced to add everything from new functions to fixing a simple vulnerability. This ephemeral nature of containers makes it challenging to keep track of who updated what set of containers for what reason. The Tripwire Container Service is designed around best practices as defined by the Center for Internet Security (CIS), says Authier.
Authier notes that compliance issues still are handled mainly by dedicated compliance teams, but developers are starting to play a big role as part of a larger DevSecOps process. Compliance policies typically are set by compliance teams, but it’s becoming easier to instrument controls directly into containers.
Arguably, the rise of containers forces organizations to embrace a more proactive approach to compliance. Rather than treating achieving compliance as a one-time event, many organizations now view compliance as a continuous process. As part of that effort, it’s not reasonable to expect developers to be cognizant of every control that needs to be implemented. Because of that issue, new compliance processes must be integrated into the larger DevOps process, usually in the form of compliance teams defining controls that can be implemented programmatically by developers. Tools such as the Tripwire Container Service make it easier to make sure the compliance mandates are met at every step of the development process.
Most auditors still are not up to speed in terms of understanding the chain of controls that should be in place when a containerized application is deployed in a production environment. But it’s also now only a matter of time before many of them start to realize that containerized applications are being updated continuously. Once they become aware of that, it’s only a matter of time before some of them start asking organizations to document how and when those changes were made. It is better to be prepared now than to take a chance later that some auditor will issue a fine simply because a process is being employed that might appear much less structured than it really is.