Aqua Security Plugs Container Security into Jenkins

As more organizations shift the responsibility for securing application code onto the shoulders of DevOps teams, a need has arisen to more tightly integrate container cybersecurity with continuous integration/continuous deployment (CI/CD) platforms. To address that requirement, Aqua Security has added a plug-in for the Jenkins CI/CD platform to Aqua MicroScanner, its free vulnerability scanner for Docker container images.

Support for Jenkins is intended to facilitate a shift to the left occurring as part of larger DevSecOps trends that is transforming how organizations secure applications in the age of containers, says Aqua CTO Amir Jerbi. Aqua MicroScanner embeds an executable and additional step when creating a container using Dockerfile, which then triggers a scan during the image build. That scan generates a report of the vulnerabilities found and suggests remediations. DevOps teams can choose to automatically fail a build when high-severity vulnerabilities are found. Integration with Jenkins makes it easier for DevOps teams to apply those cybersecurity checks across an entire application development pipeline, he says.

Jerbi notes the biggest cybersecurity issues associated with using containers doesn’t stem from the core container technology itself, but rather from the code developers encapsulate in those containers. Aqua MicroScanner checks operating system packages in Docker images for known vulnerabilities based on multiple aggregated sources, including the National Vulnerability Database (NVD) in the United States, vendor security advisories and information from software developers themselves. The Aqua Security Research Team further compares and resolves the results to keep track of any updates or differences, and to eliminate false positives.

When it comes to containerized application security, Jerbi says education remains the biggest hurdle. Initial concerns regarding application isolation have been largely addressed, he says, contending that containerized applications are more secure than legacy applications because it’s much easier to replace containers when there is an issue than to patch an entire monolithic application.

IT organizations should think of containers as adding yet another layer of security to their applications, he says, adding not enough attention is being paid to the benefits of the the container runtime environment from a cybersecurity perspective. Each runtime is part of a larger, well-defined microservice such that any deviation from the communications paths clearly denotes a breach, Jerbi notes.

Increased reliance on containers is clearly driving more organizations to embrace DevOps processes to bring order to what might be a chaotic process. Those processes are now being extended to include cybersecurity reviews of applications before they get deployed in a production environment. In fact, developers for the first time have an effective means to address cybersecurity issues in a way that doesn’t slow down the rate at which applications are being built.

It may take a while longer for DevSecOps to become the dominant model most organizations employ to build applications. But at this juncture, it’s more a matter of when rather than if DevSecOps becomes the way most modern application are built, deployed and secured.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard