Community

Identifying insecure configurations with IBM Vulnerability Advisor

Share this post:

Security is hard. Using IBM Vulnerability Advisor on Bluemix Containers Service reduces security concerns by identifying vulnerable packages or policy violations in your container image. However, when you work with installed apps, it’s still possible for them to be misconfigured and potentially compromise your system.

For example, an insecure default value in an application configuration file that hasn’t been updated, or the use of an insecure cipher in SSL/TLS could put your system at risk. When you use multiple apps deployed in containers, it’s difficult to ensure the use of security best practices.

We recently introduced a new feature to the IBM Vulnerability Advisor that addresses this very problem: It provides insights into the security configurations of containerized applications. When a user pushes a Docker image or starts a container in the IBM Container service, the Docker image or the running container is scanned for application misconfigurations. The feature advises users on how to correct misconfigured components and applications, inside their container images and containers, that could expose security vulnerabilities. The advice follows the security best practices outlined by the Open Web Application Security Project (OWASP) and the Center for Internet Security (CIS).

The following screenshots show the capability in action when a developer created a Docker image with the Apache web server, pushed it into the IBM Container service, selected the image to create a container, then viewed the findings by Vulnerability Advisor.

The screenshot below shows the report summary by Vulnerability Advisor:

landing-arrow

Upon clicking on “Security Misconfigurations,” the new feature being described here, the user was able to see the following misconfigurations impacting security:

apache_incorrect-arrow

IBM Vulnerability Advisor detected these misconfigurations and guided the developer through how to correct them.

The developer fixed the configuration in /etc/apache2/sites-enabled/000-default.conf by adding the following value for SSLCipherSuite.
SSLCipherSuite HIGH:!aNULL:!MD5

Once the developer corrected the misconfiguration, and pushed a new Docker image containing Apache web server with the updated configuration, the Vulnerability Advisor showed that the configuration had been fixed. See the screenshot below:

apache_correct_arrow

Next time you’re running an application inside a container in the IBM Container Service, you can now correct application misconfigurations that impact security!

References

More stories
May 7, 2019

We’ve Moved! The IBM Cloud Blog Has a New URL

In an effort better integrate the IBM Cloud Blog with the IBM Cloud web experience, we have migrated the blog to a new URL: www.ibm.com/cloud/blog.

Continue reading

May 3, 2019

Kubernetes Tutorials: 5 Ways to Get You Building Fast

Ready to start working with Kubernetes? Want to build your Kubernetes skills? The five tutorials in this post will teach you everything you need to know about how to manage your containerized apps with Kubernetes.

Continue reading

May 3, 2019

Using Portworx to Deploy and Manage an HA MySQL Cluster on IBM Cloud Kubernetes Service

This tutorial is a walkthrough of the steps involved in deploying and managing a highly available MySQL cluster on IBM Cloud Kubernetes Service.

Continue reading