Tripwire has made generally available a Tripwire for DevOps software-as-a-service (SaaS) offering optimized for containers.
Tim Erlin, vice president of product management and strategy for Tripwire, says the SaaS application is intended to complement existing application and source code analysis tools by making it easier to scan container images and container registries for vulnerabilities.
In addition, the service makes it possible to assess configurations for compliance with security policies within the context of a continuous integration/continuous development (CI/CD) pipeline, he says, adding a SaaS approach also makes it simpler to elastically apply vulnerability scans across teams of developers that are frequently distributed across multiple geographic regions.
A new survey of 306 cybersecurity professionals conducted by Dimensional Research on behalf of Tripwire finds that when it comes to cybersecurity in general, there’s still much room for improvement. A full 40 percent of organizations admit they are not scanning for vulnerabilities weekly or a more frequent basis, and only half run more comprehensive authenticated scans. A total of 54 percent of respondents also admitted they are not collecting logs from all critical systems in a central location, and 97 percent believe they need to get more efficient at checking logs.
Erwin says that while there is no shortage of tools for scanning container images, few of them enable cybersecurity teams to analyze containers while running in a sandbox. That approach allows for a deeper analysis of container images versus simply scanning container images against a static checklist, he says, noting the sandbox technology also one day will be applied to images running on top of virtual machines.
In general, Erlin says the goal in the age of DevSecOps is to scan container images before they get deployed. Ideally, that task would be performed by developers as part of the CI/CD process. But inevitably new vulnerabilities will be discovered after a container is deployed in a production environment, which cybersecurity teams will be expected to track and then alert developers to replace the affected containers. The good news is that replacing a set of containers is a lot easier than patching a legacy application: The Tripwire survey notes that 27 percent of organizations currently take anywhere from a month to more than one year to deploy a security patch.
When it comes to container security, there is no shortage of options. The bigger issue IT organizations now face is putting container security processes in place that require a significant change to their IT culture. Developers and cybersecurity teams today don’t interact all that much. But as the rate of applications being deployed starts to accelerate, thanks mainly to embracing DevOps processes, it becomes critical to address cybersecurity issues as early in the CI/CD pipeline as possible. Otherwise, the rate at which applications are being deployed and updated becomes adversely affected. Of course, the single biggest practical issue most organizations may face is simply determining whether the developer or cybersecurity teams are going to allocate the funds required to secure those containers.