Qualys Security Conference Dubai

Hari Srinivasan

Director Product Management, Qualys, Inc.

Qualys Container Security Comprehensive Security for the ever-changing Container Stack

Everybody Loves

Containers

29 April 2019Qualys Security Conference, 20193

Portability

Agility

Density

What are Containers?

Provides VM’s

resource isolation but

is lighter-weight,

efficient and portable

Host Operating System

Hypervisor

Guest OS Guest OS Guest OS

Infrastructure

Bins/Libs Bins/Libs Bins/Libs

App 1 App 2 App 3

Host Operating System

Docker Engine

Infrastructure

Bins/Libs Bins/Libs Bins/Libs

App 1 App 2 App 3

परयल

Container Components & Lifecycle

5

Image

#Apace Image

FROM Ubuntu:12.04

RUN apt-get update

RUN apt-get install –y

apache2

ENV APACHE

RUN_USER www-dat.

Docker File Image Registry Containers

Host / Cloud VM

Docker Engine

परयल

New age of DevOps tools specific to

containers - enabling deployment and

management of distributed containers at

scale

Provides:

a) Resource Management for the

complete cluster

b) Service level management via active

monitoring

Container Orchestration Tools

परयल

Container Platforms

On Premise

Cloud

परयल

Container Deployments

Hypervisor

Infrastructure

Host Operating System

Kernel

Infrastructure

Container Container Container

Use CaseApplication Application Application

Guest OS Guest OS Guest OS

Container Engine Container Engine Container Engine

Deployment

Scenario #1

Container Engine

Container Engine Container Engine Container Engine

Hypervisor

Infrastructure

Host Operating System

Kernel

Container Container Container

Use Case

Guest OS Guest OS Guest OS

Deployment

Scenario #2

Host Operating System

Kernel

Container EngineContainer as a Service

Use Case

Container Container Container

Infrastructure

Deployment

Scenario #3

Container Visibility &

Security Challenges

Build Ship Run

What’s in the images?

Container Images Container RegistryContainer Instances

Infrastructure

Vulnerabilities?

OSS license exposure?

Solution disruptive to my

CI Pipeline?

Registry scanning?

Enforce compliance?

Vulnerability, package and

license-based rules?

How to protect host?

Container engine configured

correctly?

Container orchestration

configured correctly?

Runtime app visibility?

Runtime app protection?

Scanning report integrated with

bug tracking?

Vulnerability impact

notifications?

Container Lifecycle Challenges

Qualys Container Security

Qualys Container Security Key Uses

Visibility into your

container projects Secure the CI/CD pipeline

Identify threats and impact across

environmentsContainer Runtime Protection

Inventory & security posture widgets

• Container Hosts

• Count of images, containers

• Containers by state

• Vulnerable images

Personalize and add custom widgets

Use Case #1

Visibility into

your container

projects

• Inventory of all Container Hosts

across your datacenters, public

clouds, laptops,..

• Know how the host vulnerabilities,

exploits affect your container

environments

Know where your

Containers are?

Know where your Containers are?

Servers – Datacenter, Clouds, etc..

isDockerHost: “true” and provider: AWS/Azure/GCP

Developer Mac laptops

Image Inventory and Smart Searches

Search based on all attributes

• Image info

• Registry info

• Containers for this image

• Vulnerability posture?

• Easy drill down for complete inventory

Preset quick

search filters

- Identify images by application

labels

Download the Qualys Vulnerability Analysis plug-in for Jenkins and install on the Jenkins master

Install the Qualys Container Sensor

on the Jenkins worker nodes

Set up policies to Pass/Fail the

build. Ex: No Sev.5 vulnerabilities,

specific QID, vulnerabilities count.

Etc.

Plugins:

REST APIs for any other

integrations.

Use Case #2

Secure the

CI/CD pipeline

Actionable Vulnerability Information

Identify the threat from a

vulnerable image

Know the threat –Vulnerability summary

Identify the impact – Summary of containers for this image the environment

Use Case #3

Detect Threats and

Impact

Know other images and containers impacted by the vulnerability

View list based on same vulnerabilities

Use Case #4

Runtimes Drifts &

ProtectionDetect Containers breaking

off from “immutable”

behavior

and Block/Kill/Quarantine

them.

Identify potential breaches in containers

“Rogue” Containers, differ from their parent Images by vulnerability, software package

composition, behavior, etc

Drill down to the details,

Identify activity in the containers

Containers breaking off from the

“immutable” behavior

Qualys+LI Q3 2019

Build Ship Run

Software Composition

Container Images Container RegistryContainer Instances

Infrastructure

Vulnerability Analysis

OSS License Analysis

Integration with CI

Pipelines

Registry Scanning

Compliance Controls

Vulnerability, Package and

License-based Rules

Host Protection

Container Engine

Benchmarking

Container Orchestration

Benchmarking

Deep Runtime Visibility

Runtime Protection

Bug Tracking IntegrationReal-time Vulnerability

Impact Notifications

Qualys Container Security

Protection for container infrastructure stack

Accurate insight and controlof container images

Automated analysis andenforcement of container behavior

Host Protection CIS Benchmarks

Scanning & Compliance

Visibility & Protection

Qualys Container Security

Qualys ‘Container Security’ Sensor Options

Sensors for every use case

BUILD HOSTRUNTIMEREGISTRY

PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE

Qualys Security Conference Dubai

Thank You

Hari Srinivasan

hsrinivasan@qualys.com