SAN FRANCISCO -- Container security platforms have begun to proliferate, but enterprises may have to watch the DevSecOps trend play out before they settle on a tool to secure container workloads.
Two container security platforms released this month -- one by an up-and-coming startup and another by an established enterprise security vendor -- take different approaches. NeuVector, a startup that introduced an enterprise edition at DevOps Enterprise Summit 2017, supports code and container-scanning features that integrate into continuous integration and continuous delivery (CI/CD) pipelines, but its implementation requires no changes to developers' workflow.
By contrast, a product from the more established security software vendor CSPi, Aria Software Defined Security, allows developers to control the insertion of libraries into container and VM images that enforce security policies.
There's still significant overlap between these container security platforms. NeuVector has CSPi's enterprise customer base in its sights, with added support for noncontainer workloads and Lightweight Directory Access Protocol. Software-defined security includes network microsegmentation features for policy enforcement that are NeuVector's primary focus. And while developers inject software-defined security code into machine images, they aren't expected to become security experts. Enterprise IT security pros set the policies enforced by software-defined security, and a series of wizards guide developers through the integration process for software-defined security libraries.
Both vendors also agree on this: Modern IT infrastructures with DevOps pipelines that deliver rapid application changes require a fundamentally different approach to security than traditional vulnerability detection and patching techniques.
There's definitely a need for new security techniques for containers that rely less on layers of VM infrastructure to enforce network boundaries, which can negate some of the gains to be had from containerization, said Jay Lyman, analyst with 451 Research.
However, even amid lots of talk about the need to "shift left" and get developers involved with IT security practices, bringing developers and security staff together at most organizations is still much easier said than done, Lyman said.
Container security platforms encounter DevSecOps growing pains
As NeuVector and CSPi product updates hit the market, enterprise IT pros at the DevOps Enterprise Summit (DOES) here this week said few enterprises use containers at this point, and the container security discussion is even further off their radar. By the time containers are widely used, DevSecOps may be more mature, which could favor CSPi's more hands-on developer strategy. But for now, developers and IT security remain sharply divided.
Jay Lymananalyst, 451 Research
"Everyone needs to be security-conscious, but to demand developers learn security and integrate it into their own workflow, I don't see how that happens," said Joan Qafoku, a risk consulting associate at KPMG LLP in Seattle who works with an IT team at a large enterprise client also based in Seattle. That client, which Qafoku did not name, gives developers a security-focused questionnaire, but security integration into their process goes no further than that.
NeuVector's ability to integrate into the CI/CD pipeline without changes to application code or the developer workflow was a selling point for Tobias Gurtzick, security architect for Arvato, an international outsourcing services company based in Gütersloh, Germany.
Still, this integration wasn't perfect in earlier iterations of NeuVector's product, Gurtzick said in an interview before DOES. Gurtzick's team polled an API every two minutes to trigger container and code scans with previous versions. NeuVector's 1.3 release includes a new webhooks notification feature that more elegantly triggers code scans as part of continuous integration testing, without the performance overhead of polling the API.
"That's the most important feature of the new version," Gurtzick said. He also pointed to added support for detailed network session snapshots that can be used in forensic analysis. Software-defined security offers a similar feature with its first release.
While early adopters of container security platforms, such as Gurtzick, have settled the debate about how developers and IT security should bake security into applications, the overall market has been slower to take shape as enterprises hash out that collaboration, Lyman said.
"Earlier injection of security into the development process is better, but that still usually falls to IT ops and security [staff]," Lyman said. "Part of the DevOps challenge is aligning those responsibilities with application development. Eventually, we'll see more developer involvement in security, but it will take time and probably be pretty painful."
IBM improves Linux container security to modernize its mainframe
Pick up some basic tasks to improve security in DevOps
DevSecOps is a vital culture shift for the good of applications