{"id":103239,"date":"2019-11-07T06:00:04","date_gmt":"2019-11-07T14:00:04","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=103239"},"modified":"2019-11-07T10:41:11","modified_gmt":"2019-11-07T18:41:11","slug":"cloud-container-security","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/11\/cloud-container-security\/","title":{"rendered":"Container Security: Vulnerability Management from Build to Run"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Author: Keith Mokris, Product Marketing Manager, Container Security<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Today\u2019s enterprises have embraced containers for their simplicity and contribution to improved development velocity. While developers and devops enjoy this new-found speed to deliver software and value to customers more quickly, security teams are looking to ensure container pipelines are secure and improve the risk posture of applications when they are deployed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In my work with the container security startup Twistlock, which is now part of Palo Alto Networks, I ended up speaking with a security engineer at a large industry event. He works with development and devops management to ensure the organization\u2019s modern web and mobile applications are built and deployed successfully. The organization was looking to better embed security throughout the application lifecycle.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Key Steps to Secure Container Pipelines<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">As this security engineer and I continued talking, I learned his company had leveraged various open source tools for short periods to perform some image scanning, but they had never leveraged a tool to continuously scan their registry or deployed a solution to get visibility into their runtime environments. The organization was looking to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Scan images to identify high risk issues<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Leverage tooling that helps to prevent vulnerabilities from making it into production in the first place<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Provide developers with trusted images<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Gain runtime visibility into various containerized environments<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This engineer made the implications clear, saying, \u201cWe\u2019re using containers in production and praying we\u2019re secure, which probably isn\u2019t a winning strategy. If I started using Twistlock, what would be the immediate benefits that my team could implement and begin to build on?\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is a good question, and one we get a lot from developers, devops managers and architects. In the next few sections, I\u2019ll share some details on how we can quickly and effectively help by providing security during the continuous integration (CI) \/ continuous delivery (CD) process, ensuring the security of the registry and offering visibility at runtime.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Integrating Security into the CI Process<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Users leverage Twistlock by integrating security and compliance throughout the CI process. In our view, the easiest way to secure cloud native applications is by preventing vulnerable images from making their way through the software development lifecycle (SDLC) in the first place.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Twistlock helps here by integrating with your current build and deploy process. For example, a user can set granular policies to pass or fail a build based on the types of vulnerabilities and compliance issues found before images can be pushed to the registry or deployed to production.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-103241 alignleft lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5.png\" alt=\"Container Security from Twistlock, Palo Alto Networks\" width=\"921\" height=\"518\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5.png 960w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-230x129.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-768x432.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-500x281.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-510x287.png 510w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-71x40.png 71w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-533x300.png 533w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image5-874x492.png 874w\" sizes=\"auto, (max-width: 921px) 100vw, 921px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">One of those policies might look something like this:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In the build for my payment app, block any build impacted by a CVE with high CVSS rating and for which a vendor fix is available.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Twistlock provides a standalone Jenkins plugin\u2014shown within the Blue Ocean view in the screenshot above\u2014as well as the ability to integrate with any other CI tools such as <\/span><a href=\"https:\/\/circleci.com\/blog\/integrating-container-image-scanning-into-circleci-builds-with-the-twistlock-orb\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">CircleCI<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/www.twistlock.com\/2019\/05\/07\/twistlock-azure-devops-extension-vulnerability-scanning-containers-functions\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Azure Devops<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/www.twistlock.com\/2018\/11\/28\/cloud-native-security-intelligence-integrating-aws-security-hub\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">AWS Codebuild<\/span><\/a><span style=\"font-weight: 400;\">, or <\/span><a href=\"https:\/\/www.twistlock.com\/2017\/03\/09\/google-cloud-container-builder\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Google Cloud Container Builder<\/span><\/a><span style=\"font-weight: 400;\"> using twistcli (our command line scanner), so developers can see vulnerability status every time they run a build. In this conversational example I\u2019ve been using for this blog post, the security engineer would work with the development group to identify and fix images with the highest vulnerabilities in their environments first, then create policies that ensure that proper vulnerability and compliance thresholds are set.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Gaining Control with Trusted Images<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">As organizations get more familiar with their images and environment, they typically leverage our Trusted Images feature to control developer access to a specific registry or even specific images or layers. Trusted Images ensure that developers are using verified or approved sources for their images, as well as provide a straightforward way to implement the CIS best practices for container security.<\/span><\/p>\n<h2><img loading=\"lazy\" decoding=\"async\"  class=\"alignleft size-full wp-image-103254 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4.png\" alt=\"Container Security from Twistlock, Palo Alto Networks\" width=\"1999\" height=\"1245\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4.png 1999w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-230x143.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-768x478.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-500x311.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-482x300.png 482w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-64x40.png 64w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image4-874x544.png 874w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/h2>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Visibility into your Registry<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">First and foremost, Twistlock provides the ability to scan and continuously monitor your registry for vulnerabilities. This vulnerability management capability solves a key problem for the engineer I was chatting with at the event. I didn\u2019t ask what type of registry the company was using, but Twistlock works with any of them! Twistlock easily integrates with any registry used today, continually scans those images for vulnerabilities and provides detailed findings with risk prioritization.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignleft size-full wp-image-103267 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3.png\" alt=\"Container Security from Twistlock, Palo Alto Networks\" width=\"1999\" height=\"1249\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3.png 1999w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-230x144.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-768x480.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-500x312.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-480x300.png 480w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-64x40.png 64w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image3-874x546.png 874w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In the above screenshot of a demo environment, you can see public images I am scanning on Docker Hub. Twistlock will continuously monitor these images to provide vulnerability and compliance status with the ability for you to get granular analysis at a <\/span><a href=\"https:\/\/www.twistlock.com\/2018\/01\/15\/twistlock-per-layer-vulnerability-analysis-2-3-deep-dive\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">layer-by-layer view of issues in each image<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Runtime Makes Prioritization Better<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">While most of this post has focused solely on vulnerability management during the build and in the registry, I want to touch on one of our key differentiators when it comes to <\/span><a href=\"https:\/\/www.twistlock.com\/platform\/runtime-defense\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">runtime<\/span><\/a><span style=\"font-weight: 400;\">: managing risk in running containers and helping teams prioritize efforts to remediate risk in their environments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Twistlock scans all of the images in the registry, scans images during the build and deploy process, and also continuously monitors any vulnerability changes in your running containers. Twistlock generates a risk score for each of the vulnerabilities we find that are actually running in your environment, taking into account not only risk metrics like CVSS but also a whole host of other metrics. For example:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Is this container connected to the internet?<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does it have open listening ports?<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Does it have a security profile attached?<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignleft size-full wp-image-103280 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1.png\" alt=\"\" width=\"1999\" height=\"1249\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1.png 1999w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-230x144.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-768x480.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-500x312.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-480x300.png 480w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-64x40.png 64w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image1-874x546.png 874w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">These key factors allows Twistlock to stack rank your vulnerabilities specifically for your environment and let you know where you are most likely to be exploited. This helps to prioritize the mitigation of vulnerabilities for your most vulnerable assets. At the same time, a user can search for any new CVE or security issue in the running environment to know exactly which container is impacted.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignleft size-full wp-image-103293 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2.png\" alt=\"Twistlock Vulnerability Explorer - Container Security from Twistlock, Palo Alto Networks\" width=\"1999\" height=\"1249\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2.png 1999w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-230x144.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-768x480.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-500x312.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-480x300.png 480w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-64x40.png 64w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/image2-874x546.png 874w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In the example above, I\u2019ve shared a screenshot from Twistlock Vulnerability Explorer with the top 10 critical vulnerabilities in my environment. In the first row, I\u2019ve expanded the Risk Tree, which allows a user to see the exact image, container name and name of the host where it is running. The risk score includes contextual data about the specific risk to that container alongside risk factors that allow teams to better assess the impact of a particular vulnerability in a specific deployment.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Conclusion\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Prisma Cloud and Twistlock provide distinct advantages for enterprises looking to analyze their images for vulnerabilities and compliance issues, integrate security into their current build and deploy process and remediate risk easily in their running environments. While I touched on our features for vulnerability management and compliance as part of this example, there are many other immediate advantages of deploying Prisma Cloud and Twistlock.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about Twistlock, <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/videos-customers\/twistlock-demo-video\"><span style=\"font-weight: 400;\">check out our latest demo recording<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Organizations need to ensure container security to improve the risk posture of cloud applications when they are deployed using containers.<\/p>\n","protected":false},"author":663,"featured_media":103306,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[6504],"coauthors":[6882],"class_list":["post-103239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-container-security"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/Container-Security-Featured-Image.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=103239"}],"version-history":[{"count":11,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103239\/revisions"}],"predecessor-version":[{"id":103347,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103239\/revisions\/103347"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/103306"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=103239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=103239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=103239"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=103239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}