Posts under Container Security
We recently highlighted Gartner’s advice to “shift right” with security, to avoid burdening developers from a security standpoint. Gartner analyst Dale Gardner continued that theme with this opening slide to his talk advising teams to “Fix What Matters” in the area of vulnerabilities. Dale noted that we excel at finding vulnerabilities, leading to the garbage heap analogy. “We end up with this graveyard of multiple vulnerability reports,” Dale observed. Bringing this world view into container security doesn’t make this problem any easier – indeed, now you have more “things” to secure.
We’re gearing up (pun intended) for an exciting time next week in San Francisco, and we’re thrilled to kick it off on Sunday at BSidesSF at City View in the Metreon. We’re proud to sponsor and support this event – an amazing grassroots effort that unites the information security community to share knowledge. With this year’s steampunk theme, the conference promises to deliver inspirational talks, stimulating discussions, and of course, evenings filled with entertaining discourse and delectable libations.
There has never been a better time to be a DevOps engineer. Compared to traditional web stacks, containerization has dramatically streamlined the task of deploying web services such as databases, key/value stores, and servers. Furthermore, container orchestration tools, like Google’s Kubernetes and Docker Swarm, enable organizations to automate the deployment and management of these containerized applications. But the tools that make life easier and more efficient for engineers can also be a gift to an attacker.
Introducing StackRox Prevent: Reimagining Container Deployment Security to Minimize Your Attack Surface
Security leaders today are charged with the increasingly complex task of defending the technology that powers modern enterprises, at a time when the software stack has never been more diverse or unmanageable. Implementing a coherent security program can seem daunting in light of the patchwork of duties that may fall under a security organization’s purview: static code analysis, identity and access management, compliance, data privacy and integrity, vulnerability management, monitoring, incident response, threat hunting, forensics…and the list continues.
This is a guest blog by Rob Fry, an accomplished architect, inventor and public speaker with 20 years’ experience primarily in large-scale Internet companies and the utility industry. At Netflix he invented FIDO, a patented open source security orchestration platform, and while at Yahoo created the DUBS configuration and automation framework for production servers. Over the past two decades, we’ve seen adoption of new technologies reshaping the landscape of how we operate and secure our businesses.
In the eighth video in our demo series, we walk you through the third-party enabled integrations that StackRox provides, including integrations with identity providers, role-based access control (RBAC), Security Assertion Markup Language (SAML) providers, notification services like PagerDuty and Slack, and log management solutions.
In the seventh video in our demo series, we’ll take a look at StackRox reports. StackRox gives you summary reports for any period of time to help you get a sense of the risk in your environment. In this video, you can see how we provide a number of preset reports, including an overview summary, alerts by severity, top attacks, policy violations, infected applications and services, top vulnerable services and images, and external infection sources.
“Keep Cloud Native Weird.” That was the motto of KubeCon + CloudNativeCon 2017, which I had the opportunity to attend last week in Austin. With the conference attracting more than 4,100 participants, hundreds of technical sessions, new project announcements, and key updates on existing initiatives, it is clear that the cloud native computing revolution continues to accelerate. Here are some of the highlights I found most interesting. KubeCon welcome mural
Since day one at StackRox, three years ago, we’ve made it a point to meet regularly with CISOs from top banks and other global 2000 companies. The focus of these discussions was on how we might expedite the adoption of containers, and improve the process of maintaining better security and regulatory compliance. Over the course of these many conversations, I’ve found that there are some important ideas worth sharing broadly, though they’re likely most interesting to IT and security leaders in the financial world, where both competitive and regulatory pressures are very high.
Four and a half years since it was first introduced, Docker continues to have a profound impact on reshaping how developers build, ship, and run software applications. Few could have anticipated the speed of Docker adoption that we have observed to date with more than 21 million hosts now running Docker, over 24 billion Docker container downloads, and a vibrant ecosystem of 100,000+ third-party projects that incorporate Docker. As the de facto standard for the container runtime and image format, Docker has democratized the ability for anyone to take advantage of container technologies that could previously only be utilized by a handful of the world’s largest, cloud-native companies.
On November 9, 2017, I attended the 9th annualRed Hat Government Symposium in Washington, DC, and quickly got a sense of Red Hat’s momentum in the public sector and the rapid growth of OpenShift, Red Hat’s container application platform based on Kubernetes. Over 600 participants attended the symposium, many of whom were senior IT and cybersecurity leaders from government agencies such as Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA), General Services Administration (GSA), Social Security Administration (SSA), U.
In the three and a half years since its release, Kubernetes has become one of the most popular container management systems on the market. A survey by 451 Research found that 71% of enterprise organizations running containers are using Kubernetes. Likewise, Google Kubernetes Engine (GKE) has emerged as one of the leading managed services for Kubernetes deployments, attracting customers like Niantic, Philips, Meetup, and Evernote. GKE extends the baseline benefits of Kubernetes, including automated cluster deployment, managed container networking, autoscaling, and a managed master node with guaranteed uptime and automated Kubernetes upgrades.
Here is our fifth video in our demo series of our StackRox platform. In this demo, see how you can manage policies for your highly distributed and/or container environments. You can use our preloaded policies, or create new policies, helping you use StackRox to automatically detect attacks, building better security hygiene into your infrastructure in development and production.
The Red Hat OpenShift platform is enabling enterprise organizations to use container technologies such as Docker and Kubernetes to build, deploy, and run applications with unprecedented agility, scale, and speed. In this blog post, I’ll walk through how we’ve integrated StackRox with OpenShift to help our joint customers ensure comprehensive security across their container lifecycle. You can also visit the OpenShift Commons to view a recording of my briefing on this topic from last week, which goes into more details, and provides a live demo of StackRox running with OpenShift.
Here is our third video in our demo series, focusing on search and asset discovery. Watch the video below to learn about StackRox search and enumeration capabilities. See how we are able to leverage data optimization and machine learning, translating millions of signals into queryable infrastructure data at the hands of your security analyst.
In this new blog post by Crate.io, read about how they are using StackRox to secure CrateDB Clusters on Docker. StackRox complements the authentication, access controls, and encryption added in Crate 2.0 Enterprise Edition with comprehensive threat coverage for well-known attack vectors on containerized database applications. The post discusses why security is important for a database like CrateDB, and how to use StackRox to protect your data – walking you through the deployment process.