Aqua Security Brings Virtual Patching to Containers

Aqua Security has extended its container security platform to include a virtual patching capability, dubbed Vulnerability Shield, which enables DevSecOps teams to temporarily block access to software components until a patch can be delivered.

At the same time, version 4.2 of Aqua CSP, its cloud-native security platform, has been enhanced to provide runtime protection for serverless functions, which prevents individuals who may have gained access to cloud computing credentials from injecting malicious code into functions on a public cloud. Support for the AWS Lambda serverless framework is now available, with additional support planned for Microsoft Azure Functions and Google Cloud Functions planned for later this year.

CloudNative Summit

Rani Osnat, vice president of product marketing for Aqua Security, says the runtime protection for functions extends existing Aqua CSP capabilities that include scanning functions for vulnerabilities, permissions and secrets; usage trend analysis and anomaly detection; and function assurance policies that prevent unapproved functions from running.

Osnat says that while it’s simple to rip and replace containers when necessary, the update software components that would be delivered via those new containers often are not readily available. Vulnerability Shield combines automated vulnerability and component analysis along with security research conducted by Aqua Security to generate runtime policies that detect and block access to vulnerable components in containers, he says, noting that capability also will make it easier for DevSecOps teams to prioritize which vulnerabilities need to be addressed while relying on Vulnerability Shield to address issues that can’t be addressed immediately.

Other new capabilities in Aqua CSP 4.2 include support for container image scanning by layer, to make it easier to isolate the root sources of security issues and vulnerabilities; a new view in the Aqua console that makes it easier to identify unprotected clusters and hosts; and native integration with Prometheus, an open source monitoring tool, and Harbor, an open source image registry.

Osnat says that in the wake of rival container security platform provider Twistlock being acquired by Palo Alto Networks, Aqua Security is looking forward to competing head-on with larger cybersecurity companies. To help it in its efforts, Aqua Security recently raised $62 million in additional funding.

Much of the container security battle is coming down to the degree to which organizations will want a dedicated cloud-native platform for managing container security instead of trying to extend existing management frameworks into the realm of containers. With its acquisition of Twistlock, Palo Alto Networks is kicking off an ambitious effort to converge security management across multiple cloud-native and legacy IT environments. The rate at which containers are being deployed in production environments is increasing exponentially, however, so many IT organizations won’t wait to make a decision regarding container security.

Aqua Security—and, soon, Palo Alto Networks—are not the only providers of a platform aimed at securing container environments. Arguably, the battle to provide those platforms is, in fact, just now being enjoined.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1538 posts and counting. See all posts by Mike Vizard