Automate and secure DevOps with container security

Share this post:

Adopting a container-based platform is the primary way development teams are streamlining their work and implementing secure DevOps. Pulling down a publicly available container image saves a lot of image preparation time. Automated toolchains also enable teams to develop and deploy innovative new apps more quickly, delivering frequent updates to customers.

Safeguarding data associated with those apps is critical. While app developers may understand the general need to add safeguards, they are not necessarily security experts. Today, addressing complex security challenges means enabling developers to seamlessly build security into their creations without delaying (or derailing) the DevOps process.

How to secure DevOps for accelerated development


Scan containers to secure DevOps

Though a public software image is convenient to re-use, you don’t know what’s in it. Trusting the uploader is a risk that is bound to compromise app data at some point. Is the time it takes to verify that a public image is free of vulnerabilities greater than the time saved in building the image yourself?

Since there’s really no substitute for scanning every image before releasing it into the DevOps pipeline proper, expect any cloud platform to provide an efficient way of doing it. IBM Cloud Container Service, for example, offers a Vulnerability Advisor (VA) scanning tool that operates on images in repositories, and in both static and live containers. Alerts are tiered and make recommendations.

VA inspects every layer of every image in a cloud customer’s private registry to help detect vulnerabilities or malware before image deployment. While that’s a good start, to catch problems like drift in from static to live containers, VA also scans running containers for anomalies.

Other VA capabilities include:

  • Policy violation settings: With VA, administrators can set image deployment policies based on three types of image failure situations: installed packages with known vulnerabilities, remote logins enabled, and remote logins enabled with some users who have easily-guessed passwords.
  • Best practices: VA currently checks 26 rules based on ISO 27000. Checks include settings such as password minimum age, minimum password length and remote logins enabled.
  • Security misconfiguration detection: VA flags each misconfiguration issue, provides a description of it and recommends a course of action to remediate it.
  • Threat rating system: VA pulls in security intelligence from five third-party sources and uses criteria such as attack vector, complexity and availability of a known fix to rate severity. The rating system (critical, high, moderate or low) helps administrators quickly understand which vulnerabilities need priority action.

Find out how to automate DevSecOps

Secure DevOps considerations

As you deploy workloads to the cloud, you should expect cloud service providers to help protect your valuable data and applications. You need to be confident about the integrity of both the platform and the containers that run on it. Make container scanning—both live and static scanning—one of the subjects you ask about when evaluating cloud providers. Learn more about container security.


Senior Content Strategist, WW Marketing

More DevOps stories
November 27, 2018

Increase Observability: IBM Log Analysis with LogDNA is Available Today on IBM Cloud

IBM Log Analysis with LogDNA is available today on IBM Cloud. This service to simplifies log management in the Cloud and helps your developers pinpoint issues quickly in their dynamically scaling applications and workloads.

Continue reading

October 30, 2018

DevOps Insights: New Item Charging Metric

Starting in December of 2018, IBM Cloud DevOps Insights will change the way it charges for usage. Instead of charging by Application, Insights will use the term Item. By charging for items within Insights, we will be able to scale our value across future feature sets.

Continue reading

October 26, 2018

Modernize and Simplify Your IT and Network Operations

IBM Netcool Operations Insight on IBM Cloud Private is a containerized version of Netcool that covers operations management and agile service management. You can now run your management software on the same modern platform as other workloads, making it cost-effective and scalable for future migrations.

Continue reading