The standard process of software and configuration management, hardening services and enforcing compliance doesn’t work for modern DevOps teams. Making security part of the CI/CD process is known as continuous security.
Many organizations have already implemented CI/CD pipelines to make their software supply chain process more agile, automatically building and testing their software with Continuous Integration tools, and then making those container packages and configuration ready for production usage with Continuous Delivery or directly deployed in production with Continuous Deployment tools.
More applications, more services, microservices, new infrastructure layers with Docker and Kubernetes platform, faster iterations and releases make the case for a continuous security process.
CONTINUOUS SECURITY IS IMPORTANT.
Either if you are just running containers or you have already implemented a complete CI/CD process, you are going to find multiple cases where you need new security tools:
- Different software versions, with their security vulnerabilities and patches spread across a growing number of container images.
- Software from different sources and authors is run in production, developers push software to repositories and image registries without any guarantee, that containers that you cannot trust.
- New security best practices that you need to follow in your container infrastructure configuration and application container builds change over time. New security policies compliance is required.
- Vulnerabilities in your own software, weak or leaked credentials or just configuration flaws are also exploited. You need to detect hack attempts and stop those attacks.
- After a security incident, how can you investigate what the attacker did and how did penetrate? Containers are highly volatile and might not exist anymore when you try to do a post-mortem analysis and forensics of the attack.
CI/CD PIPELINE SECURITY: CONTINUOUS SECURITY IMPLEMENTATION WITH SYSDIG.
Sysdig Secure can help organizations and their operations, developers, security and DevSecOps teams transition to these new processes. Sysdig has native integrations at multiple points during the software delivery lifecycle to allow continuous security across the entire CI/CD pipeline and at run-time. Sysdig Secure’s vulnerability management capabilities help organizations bring application security, compliance, and quality assurance closer to the developer.
CONTAINER IMAGE SCANNING AND VULNERABILITY MANAGEMENT.
Easily configure Sysdig Secure to scan images either as part of your build process or from your container registry. You can integrate into your CI/CD pipeline through a native Jenkins plugin or through API’s. Fail builds, trigger warnings, and enforce compliance by including image scanning every time a container goes through the build process before it is uploaded into the container registry.
Perform an inspection of an image to generate a detailed report of the contents of the image, including:
- Official OS packages
- Unofficial OS packages
- Configuration files
- Credentials files
- Localization modules and software specific installers:
- Python PiP
- Ruby with GEM
- Java/JVM with .jar archives
- Image metadata and configuration attributes
You can prevent images with critical vulnerabilities from being pushed into the image registry, but still let low and medium vulnerabilities go through with a warning. Whitelist warnings that don’t affect your application. You decide what matters and what is not relevant in your vulnerability management policy.
Information is continuously updated vulnerability and package data from OS vendors via multiple sources:
- NIST National Vulnerability Database
- Official Debian, Ubuntu, RedHat, CentOS packages and security trackers
- Language specific trackers and other sources
You can scan images stored in any any Docker V2 compatible registry such as:
- Google Container Registry
- Amazon ECR
- Microsoft ACR
- Docker Hub Private Registry and Docker Enterprise
- CoreOS Quay
- JFrog Artifactory
- Gitlab Container Registry
- SuSE Portus
- VMware Harbor
- Sonatype Nexus
COMPLIANCE AND AUDIT.
With Sysdig Secure your entire organization can be aware of the risks and compliance status of images in the build pipeline, stored in container registries, and even those currently running in production. But also compliance on configuration of your infrastructure, platform and services. All commands executed either on the hosts or on the containers are automatically recorded for auditing purposes, so if someone makes any modification, will be recorded.
Help to ensure you are compliant with HIPAA, GDPR, PCI or other external or internal requirements and policies. You can customize checks and benchmarks, like Docker and Kubernetes CIS benchmarks individually to fit your environment, since some general practice might not apply for you specific configuration or even write your own checks.
These insights can be viewed as a report or in combination with application performance metrics from Sysdig Monitor to give developers a holistic view of the performance, health, and vulnerability status of their containerized service. This DevSecOps oriented visibility helps application teams deliver secure and reliable services faster.
CONTAINER RUN-TIME SECURITY.
Sysdig is the only platform architected to use deep container visibility for securing all your applications, services and infrastructure in Cloud Native environments. Monitoring the processes and containers for anomalous behaviour once they are in production through transparent system call instrumentation, that doesn’t require image patching or process linking while achieving high performance.
Bring together network, file system and any other process activity through system calls together with container and Kubernetes resources to implement specific run-time security policies that apply to Kubernetes resources and applications. A few typical run-time policies examples that can be configued through Sysdig Secure include:
- Some run an interactive shell in a container in the production Namespace
- Unexpected outgoing connection from a Pod inside the Redis Deployment
- Unexpected process running in the Nginx image
- Not approved container running in the kube-system Namespace
- An application re-read a Kubernetes Secret after start up time
- A Pod is trying to reach the Kubernetes kubelet API
- Unauthorized privileged container changed its namespace via the setns syscall
In addition to offering an extensive default ruleset that cover the typical security incidents in containers, Sysdig Secure can learn how your applications container behave taking that as a baseline to detect any future behavior that differs.
You can tie back information about images, or scan results to Kubernetes clusters, namespaces, and deployments to categorize risk and prioritize image patching and upgrades: alert if an image in the registry contains a vulnerability or just has not been scanned and is running on an specific application in production. Block forbidden images or only allow specific ones for each cluster, namespace or deployment.
CONTAINER FORENSICS AND POST-MORTEM ANALYSIS.
Sysdig has solved the challenge of container forensics and post-mortem analysis. You can record all system activity not only after, but also even just before a security incident is detected. This is all the information you are going to need to answer questions like:
How I was hacked? Leaked credentials, command injection, specific exploit?
What happened inside? File access and modification, backdoor installation, cryptojacking
Did the attack spread to other systems? Was any sensitive information exposed and leaked?
Containers are highly volatile. It is quite normal that they are often scaled up and down, destroyed and rescheduled somewhere else. When the container is gone, all the information you add about any change in that container is also gone and you are only left with any log you might have recorded.
Sysdig captures analysis through Sysdig Inspect and Secure allows to browse and review all the activity like in a time machine through an easy to use UI, including processes, containers, network and filesystem but also applications, commands, logs and Docker or Kubernetes events.