qualys container security...docker file image registry containers host / cloud vm docker engine...
TRANSCRIPT
Qualys Security Conference Dubai
Hari Srinivasan
Director Product Management, Qualys, Inc.
Qualys Container Security Comprehensive Security for the ever-changing Container Stack
Everybody Loves
Containers
29 April 2019Qualys Security Conference, 20193
Portability
Agility
Density
What are Containers?
Provides VM’s
resource isolation but
is lighter-weight,
efficient and portable
Host Operating System
Hypervisor
Guest OS Guest OS Guest OS
Infrastructure
Bins/Libs Bins/Libs Bins/Libs
App 1 App 2 App 3
Host Operating System
Docker Engine
Infrastructure
Bins/Libs Bins/Libs Bins/Libs
App 1 App 2 App 3
परयल
Container Components & Lifecycle
5
Image
#Apace Image
FROM Ubuntu:12.04
RUN apt-get update
RUN apt-get install –y
apache2
ENV APACHE
RUN_USER www-dat.
Docker File Image Registry Containers
Host / Cloud VM
Docker Engine
परयल
New age of DevOps tools specific to
containers - enabling deployment and
management of distributed containers at
scale
Provides:
a) Resource Management for the
complete cluster
b) Service level management via active
monitoring
Container Orchestration Tools
परयल
Container Platforms
On Premise
Cloud
परयल
Container Deployments
Hypervisor
Infrastructure
Host Operating System
Kernel
Infrastructure
Container Container Container
Use CaseApplication Application Application
Guest OS Guest OS Guest OS
Container Engine Container Engine Container Engine
Deployment
Scenario #1
Container Engine
Container Engine Container Engine Container Engine
Hypervisor
Infrastructure
Host Operating System
Kernel
Container Container Container
Use Case
Guest OS Guest OS Guest OS
Deployment
Scenario #2
Host Operating System
Kernel
Container EngineContainer as a Service
Use Case
Container Container Container
Infrastructure
Deployment
Scenario #3
Container Visibility &
Security Challenges
Build Ship Run
What’s in the images?
Container Images Container RegistryContainer Instances
Infrastructure
Vulnerabilities?
OSS license exposure?
Solution disruptive to my
CI Pipeline?
Registry scanning?
Enforce compliance?
Vulnerability, package and
license-based rules?
How to protect host?
Container engine configured
correctly?
Container orchestration
configured correctly?
Runtime app visibility?
Runtime app protection?
Scanning report integrated with
bug tracking?
Vulnerability impact
notifications?
Container Lifecycle Challenges
Qualys Container Security
Qualys Container Security Key Uses
Visibility into your
container projects Secure the CI/CD pipeline
Identify threats and impact across
environmentsContainer Runtime Protection
Inventory & security posture widgets
• Container Hosts
• Count of images, containers
• Containers by state
• Vulnerable images
Personalize and add custom widgets
Use Case #1
Visibility into
your container
projects
• Inventory of all Container Hosts
across your datacenters, public
clouds, laptops,..
• Know how the host vulnerabilities,
exploits affect your container
environments
Know where your
Containers are?
Know where your Containers are?
Servers – Datacenter, Clouds, etc..
isDockerHost: “true” and provider: AWS/Azure/GCP
Developer Mac laptops
Image Inventory and Smart Searches
Search based on all attributes
• Image info
• Registry info
• Containers for this image
• Vulnerability posture?
• Easy drill down for complete inventory
Preset quick
search filters
- Identify images by application
labels
Download the Qualys Vulnerability Analysis plug-in for Jenkins and install on the Jenkins master
Install the Qualys Container Sensor
on the Jenkins worker nodes
Set up policies to Pass/Fail the
build. Ex: No Sev.5 vulnerabilities,
specific QID, vulnerabilities count.
Etc.
Plugins:
REST APIs for any other
integrations.
Use Case #2
Secure the
CI/CD pipeline
Actionable Vulnerability Information
Identify the threat from a
vulnerable image
Know the threat –Vulnerability summary
Identify the impact – Summary of containers for this image the environment
Use Case #3
Detect Threats and
Impact
Know other images and containers impacted by the vulnerability
View list based on same vulnerabilities
Use Case #4
Runtimes Drifts &
ProtectionDetect Containers breaking
off from “immutable”
behavior
and Block/Kill/Quarantine
them.
Identify potential breaches in containers
“Rogue” Containers, differ from their parent Images by vulnerability, software package
composition, behavior, etc
Drill down to the details,
Identify activity in the containers
Containers breaking off from the
“immutable” behavior
Qualys+LI Q3 2019
Build Ship Run
Software Composition
Container Images Container RegistryContainer Instances
Infrastructure
Vulnerability Analysis
OSS License Analysis
Integration with CI
Pipelines
Registry Scanning
Compliance Controls
Vulnerability, Package and
License-based Rules
Host Protection
Container Engine
Benchmarking
Container Orchestration
Benchmarking
Deep Runtime Visibility
Runtime Protection
Bug Tracking IntegrationReal-time Vulnerability
Impact Notifications
Qualys Container Security
Protection for container infrastructure stack
Accurate insight and controlof container images
Automated analysis andenforcement of container behavior
Host Protection CIS Benchmarks
Scanning & Compliance
Visibility & Protection
Qualys Container Security
Qualys ‘Container Security’ Sensor Options
Sensors for every use case
BUILD HOSTRUNTIMEREGISTRY
PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE