Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine...
Transcript of Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine...
![Page 1: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/1.jpg)
Qualys Security Conference Dubai
Hari Srinivasan
Director Product Management, Qualys, Inc.
Qualys Container Security Comprehensive Security for the ever-changing Container Stack
![Page 2: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/2.jpg)
Everybody Loves
Containers
29 April 2019Qualys Security Conference, 20193
Portability
Agility
Density
![Page 3: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/3.jpg)
What are Containers?
Provides VM’s
resource isolation but
is lighter-weight,
efficient and portable
Host Operating System
Hypervisor
Guest OS Guest OS Guest OS
Infrastructure
Bins/Libs Bins/Libs Bins/Libs
App 1 App 2 App 3
Host Operating System
Docker Engine
Infrastructure
Bins/Libs Bins/Libs Bins/Libs
App 1 App 2 App 3
परयल
![Page 4: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/4.jpg)
Container Components & Lifecycle
5
Image
#Apace Image
FROM Ubuntu:12.04
RUN apt-get update
RUN apt-get install –y
apache2
ENV APACHE
RUN_USER www-dat.
Docker File Image Registry Containers
Host / Cloud VM
Docker Engine
परयल
![Page 5: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/5.jpg)
New age of DevOps tools specific to
containers - enabling deployment and
management of distributed containers at
scale
Provides:
a) Resource Management for the
complete cluster
b) Service level management via active
monitoring
Container Orchestration Tools
परयल
![Page 6: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/6.jpg)
Container Platforms
On Premise
Cloud
परयल
![Page 7: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/7.jpg)
Container Deployments
![Page 8: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/8.jpg)
Hypervisor
Infrastructure
Host Operating System
Kernel
Infrastructure
Container Container Container
Use CaseApplication Application Application
Guest OS Guest OS Guest OS
Container Engine Container Engine Container Engine
Deployment
Scenario #1
![Page 9: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/9.jpg)
Container Engine
Container Engine Container Engine Container Engine
Hypervisor
Infrastructure
Host Operating System
Kernel
Container Container Container
Use Case
Guest OS Guest OS Guest OS
Deployment
Scenario #2
![Page 10: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/10.jpg)
Host Operating System
Kernel
Container EngineContainer as a Service
Use Case
Container Container Container
Infrastructure
Deployment
Scenario #3
![Page 11: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/11.jpg)
Container Visibility &
Security Challenges
![Page 12: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/12.jpg)
Build Ship Run
What’s in the images?
Container Images Container RegistryContainer Instances
Infrastructure
Vulnerabilities?
OSS license exposure?
Solution disruptive to my
CI Pipeline?
Registry scanning?
Enforce compliance?
Vulnerability, package and
license-based rules?
How to protect host?
Container engine configured
correctly?
Container orchestration
configured correctly?
Runtime app visibility?
Runtime app protection?
Scanning report integrated with
bug tracking?
Vulnerability impact
notifications?
Container Lifecycle Challenges
![Page 13: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/13.jpg)
Qualys Container Security
![Page 14: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/14.jpg)
Qualys Container Security Key Uses
Visibility into your
container projects Secure the CI/CD pipeline
Identify threats and impact across
environmentsContainer Runtime Protection
![Page 15: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/15.jpg)
Inventory & security posture widgets
• Container Hosts
• Count of images, containers
• Containers by state
• Vulnerable images
Personalize and add custom widgets
Use Case #1
Visibility into
your container
projects
![Page 16: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/16.jpg)
• Inventory of all Container Hosts
across your datacenters, public
clouds, laptops,..
• Know how the host vulnerabilities,
exploits affect your container
environments
Know where your
Containers are?
![Page 17: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/17.jpg)
Know where your Containers are?
Servers – Datacenter, Clouds, etc..
isDockerHost: “true” and provider: AWS/Azure/GCP
Developer Mac laptops
![Page 18: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/18.jpg)
Image Inventory and Smart Searches
Search based on all attributes
• Image info
• Registry info
• Containers for this image
• Vulnerability posture?
• Easy drill down for complete inventory
Preset quick
search filters
- Identify images by application
labels
![Page 19: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/19.jpg)
Download the Qualys Vulnerability Analysis plug-in for Jenkins and install on the Jenkins master
Install the Qualys Container Sensor
on the Jenkins worker nodes
Set up policies to Pass/Fail the
build. Ex: No Sev.5 vulnerabilities,
specific QID, vulnerabilities count.
Etc.
Plugins:
REST APIs for any other
integrations.
Use Case #2
Secure the
CI/CD pipeline
![Page 20: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/20.jpg)
Actionable Vulnerability Information
![Page 21: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/21.jpg)
Identify the threat from a
vulnerable image
Know the threat –Vulnerability summary
Identify the impact – Summary of containers for this image the environment
Use Case #3
Detect Threats and
Impact
![Page 22: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/22.jpg)
Know other images and containers impacted by the vulnerability
View list based on same vulnerabilities
![Page 23: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/23.jpg)
Use Case #4
Runtimes Drifts &
ProtectionDetect Containers breaking
off from “immutable”
behavior
and Block/Kill/Quarantine
them.
Identify potential breaches in containers
“Rogue” Containers, differ from their parent Images by vulnerability, software package
composition, behavior, etc
![Page 24: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/24.jpg)
Drill down to the details,
Identify activity in the containers
Containers breaking off from the
“immutable” behavior
Qualys+LI Q3 2019
![Page 25: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/25.jpg)
![Page 26: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/26.jpg)
![Page 27: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/27.jpg)
Build Ship Run
Software Composition
Container Images Container RegistryContainer Instances
Infrastructure
Vulnerability Analysis
OSS License Analysis
Integration with CI
Pipelines
Registry Scanning
Compliance Controls
Vulnerability, Package and
License-based Rules
Host Protection
Container Engine
Benchmarking
Container Orchestration
Benchmarking
Deep Runtime Visibility
Runtime Protection
Bug Tracking IntegrationReal-time Vulnerability
Impact Notifications
Qualys Container Security
![Page 28: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/28.jpg)
Protection for container infrastructure stack
Accurate insight and controlof container images
Automated analysis andenforcement of container behavior
Host Protection CIS Benchmarks
Scanning & Compliance
Visibility & Protection
Qualys Container Security
![Page 29: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/29.jpg)
Qualys ‘Container Security’ Sensor Options
![Page 30: Qualys Container Security...Docker File Image Registry Containers Host / Cloud VM Docker Engine परयल. New age of DevOps tools specific to containers - enabling deployment and](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f428e302355ec24a9789954/html5/thumbnails/30.jpg)
Sensors for every use case
BUILD HOSTRUNTIMEREGISTRY
PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE