Automate DevSecOps for Full Lifecycle Container Security

IDC predicts that “By 2025, nearly two-thirds of enterprises will be prolific software producers with code deployed daily, over 90% of apps will be cloud-native, and there will be 1.6 times more developers than today.” 1 As organizations catapult into the digital economy in what seems like an overnight transformation, we see the prediction come to life at an accelerated pace. The need to integrate security throughout the DevOps cycle becomes more urgent as pervasive challenges highlight the widening security gap.

Container security challenges include open-source risks, the ephemeral nature of containers, and misaligned security and DevOps teams. Open-source software components have become a ubiquitous toolset for developers. 99% of codebases audited in 2019 contained open-source components, and nearly half (49%) of those codebases contained high-risk vulnerabilities.2 In addition to the risks with open-source, organizations need to appreciate that static practices that may have worked for virtual machines are inapt when securing ephemeral containers. Providing a list of containers to protect will be of no value because the containers will no longer exist when the list gets generated. Security continues to be a downstream gate for DevOps, reinforcing security teams’ struggle to keep up with the velocity. This paradigm only heightens the misalignment between the security, DevOps, and development teams. A concerted effort is required to bake security into the continuous integration and continuous deployment (CI/CD) pipeline.

Security, DevOps, and developers can mitigate these challenges and close security gaps with VMware. They can automate DevSecOps and implement complete lifecycle container security. Customers will gain situational intelligence to mitigate risk-prioritized vulnerabilities and bake compliance and security into the CI/CD pipeline, protecting containerized applications from build to runtime in hybrid cloud Kubernetes environments.

I sat down with Shemer Schwarz, Sr. Director of Product Management, VMware Security Business Unit and former co-founder and CEO of Octarine Security, to take a deep dive into the new VMware Carbon Black Container solution.

Su: Shemer, less than a year ago, VMware acquired Octarine to help advance security for containers. What are some of the use cases top of mind for customers in the Cloud Workload Protection market?

Shemer: Yes, we’re excited to add more capabilities to help our customers improve their security maturity. I’m seeing the following use cases come up repeatedly from my conversations with clients:

  • Kubernetes security posture management
  • Workload visibility and hardening
  • Container image scanning and vulnerability management

Su: Tell me more about the first use case – security posture management for Kubernetes. What does it mean to our clients? How are we helping them?

Shemer: Planning your security strategy starts with understanding your environment and that requires visibility into your workloads, how they are configured, and how your infrastructure – your Kubernetes environment in this case – is configured. You need to prioritize the risk associated with each workload, so you know where to focus your remediation efforts. I’ll walk through some screenshots to illustrate how customers can solve these challenges with our solution.

You get a single pane of glass that captures information of all workloads across multiple clusters and namespaces. This dashboard consolidates data on the configuration of workloads, and the vulnerabilities identified in containers running in any cluster (stage, dev, test, production). The data comes from two sources: the image scanned at the CI/build phase and from continuous monitoring of the workload configuration in production. We consolidate the two sources of data to produce a unified risk-score for the workload. The risk-score is within a range of 1 to 10, 10 being the highest risk so you can prioritize the remediation of vulnerable workloads accordingly.

You gain situational intelligence from understanding the attributes that contribute to the risk-score so you can determine if a configuration is required or not. In most cases, it’s not required. Erroneous configurations stem from a lack of knowledge or a path of least resistance without the proper security controls or tighter permissions.

Su: Could you expand on the scanning process that feeds this dashboard?

Shemer: Vulnerabilities are scanned at the CI phase when you build a container, so the scan takes place as part of the CI process. This method is very different from how you manage the vulnerabilities in legacy environments. The container images get scanned at CI, and you have visibility on the vulnerabilities at runtime.

Su: As a customer, how would I get alert notifications?

Shemer: Anytime a new workload is deployed or updated – a change in the configuration occurs, you get a notification if someone is violating a policy you created. Let’s say you want to make sure a workload cannot run as root for a specific namespace. If there is a change in the behavior or configuration of the workload that violates that policy, you’ll get notified via your choice of medium – Webhook, Slack, email, for example.

Su: This single pane of glass with actionable information does simplify security posture management in Kubernetes. Let’s move on to our second use case on workload visibility and hardening. How can I harden container workloads automatically and continuously?

Shemer: With the transition to microservices, more workloads configured using infrastructure-as-code get deployed rapidly via the CI/CD pipeline. A manual audit of the workloads becomes impossible. With VMware’s solution, customers can create automated policies to enforce secure configuration and ensure compliance with organizational requirements and industry standards.

You can select the appropriate templates to apply policies that incorporate CIS benchmark and Kubernetes best practices at the CI/build and deployment phases of a workload. You can also customize the rule engine to enforce restrictions such as memory/CPU requests or where the images are coming from within a Kubernetes environment.

You can see the violations and can either choose to exempt the violations or fix them. Once the policy is confirmed, you should not get any violations unless somebody changed something to trigger an alert. Here’s how you’ll see the alerts:

You’ll see the information that triggered the alert on this screen and can filter down on violations by cluster, namespace, role, policy, etc.

Su: I can see how the security team can keep pace with DevOps velocity with this compliance policy automation. Now, let’s dive into the container image scanning and vulnerability management use case. How can I, as a customer, enable collaboration between the security, DevOps, and development teams?

Shemer: You can scan container images and get visibility into what’s running in the production environment and the types of vulnerabilities that exist.

You can create policies either at the CI/build phase before pushing the image to the registry or at the deployment stage. An example policy prevents an image with a critical vulnerability from being deployed or one that accepts only images from approved registries. You can also enforce a policy to stop the CI process when a critical vulnerability is present.

You can monitor container images in the entire repository on this dashboard:

And clicking on a specific image tag will give you a comprehensive view that includes information on the packages that are part of the release, and the vulnerabilities identified.

Su: Shemer, thanks for providing a deep dive into the use cases for our container security solution. These capabilities certainly drive automation for DevSecOps and mitigate a lot of the challenges that customers experience.

Shemer: When you move to infrastructure-as-code and modern applications with immutable infrastructure, the only way to secure your environment and ensure no deviation from compliance is to automate those processes. Leverage tools that continuously monitor changes in the configuration state of an application. The pace of change and the distributed nature of these environments make it impossible to apply traditional, manual security processes. For programmatically secure configuration, you need automation to understand your security posture and enforce policies consistently across these environments.

Additional insights gleaned from my discussion with Shemer include customers’ ability to:

  • Identify container application services exposed outside of the Kubernetes cluster
  • Identify and prevent privileged containers from being deployed, and
  • Focus on risk-prioritized vulnerabilities at every stage in the development lifecycle

Security needs to reduce risk and maintain compliance. DevOps need to ensure third-party applications are secure, and container images come from approved registries and comply with industry standards. Developers need to deploy high-quality code to production faster.  VMware Carbon Black is highly complementary with our VMware Tanzu solutions in addressing the DevSecOps challenges of modern applications—enabling more secure applications and simplifying operations for security and DevOps teams. VMware continues to explore these integrations to deliver on our security vision.

1IDC, IDC FutureScape Outlines the Impact “Digital Supremacy” Will Have on Enterprise Transformation and the IT Industry. Published 29 October 2020

2Synopsys, 2020 Open Source Security and Risk Analysis Report.

Related Resources