DevOps

Automate and secure DevOps with container security

Share this post:

Adopting a container-based platform is the primary way development teams are streamlining their work and implementing secure DevOps. Pulling down a publicly available container image saves a lot of image preparation time. Automated toolchains also enable teams to develop and deploy innovative new apps more quickly, delivering frequent updates to customers.

Safeguarding data associated with those apps is critical. While app developers may understand the general need to add safeguards, they are not necessarily security experts. Today, addressing complex security challenges means enabling developers to seamlessly build security into their creations without delaying (or derailing) the DevOps process.

How to secure DevOps for accelerated development

 

Scan containers to secure DevOps

Though a public software image is convenient to re-use, you don’t know what’s in it. Trusting the uploader is a risk that is bound to compromise app data at some point. Is the time it takes to verify that a public image is free of vulnerabilities greater than the time saved in building the image yourself?

Since there’s really no substitute for scanning every image before releasing it into the DevOps pipeline proper, expect any cloud platform to provide an efficient way of doing it. IBM Cloud Container Service, for example, offers a Vulnerability Advisor (VA) scanning tool that operates on images in repositories, and in both static and live containers. Alerts are tiered and make recommendations.

VA inspects every layer of every image in a cloud customer’s private registry to help detect vulnerabilities or malware before image deployment. While that’s a good start, to catch problems like drift in from static to live containers, VA also scans running containers for anomalies.

Other VA capabilities include:

  • Policy violation settings: With VA, administrators can set image deployment policies based on three types of image failure situations: installed packages with known vulnerabilities, remote logins enabled, and remote logins enabled with some users who have easily-guessed passwords.
  • Best practices: VA currently checks 26 rules based on ISO 27000. Checks include settings such as password minimum age, minimum password length and remote logins enabled.
  • Security misconfiguration detection: VA flags each misconfiguration issue, provides a description of it and recommends a course of action to remediate it.
  • Threat rating system: VA pulls in security intelligence from five third-party sources and uses criteria such as attack vector, complexity and availability of a known fix to rate severity. The rating system (critical, high, moderate or low) helps administrators quickly understand which vulnerabilities need priority action.

Find out how to automate DevSecOps

Secure DevOps considerations

As you deploy workloads to the cloud, you should expect cloud service providers to help protect your valuable data and applications. You need to be confident about the integrity of both the platform and the containers that run on it. Make container scanning—both live and static scanning—one of the subjects you ask about when evaluating cloud providers. Learn more about container security.

 

More DevOps stories
September 19, 2018

Tutorial: Apply End-to-End Security to Cloud Applications

A new tutorial will show you how to use IBM Cloud services to secure your cloud application. Capture and review security-related events, encrypt storage, integrate authentication, and more.

Continue reading

September 11, 2018

IBM Key Protect Now Available in U.S. East Region on IBM Public Cloud

We're excited to announce that we are adding to our U.S. geographical coverage, and IBM’s key management service, IBM Key Protect, is now available in the U.S. East region based out of Washington D.C.

Continue reading

September 7, 2018

Use App ID to Authenticate Your Users in Your Lite IBM Cloud App

Were excited to announce that IBM Cloud App ID just launched a new Lite plan as part of the IBM Cloud Lite account. As part of the Lite plan, you will be able to try out all of App ID's capabilities.

Continue reading