CVE Vulnerability Scanning for Containers
At McAfee, our job is to help secure the workloads and data that our customers rely on to power their business. This release of MVISION Cloud for Containers is about taking all the best practices around how these systems should be designed and giving customers a strong security foundation even in workloads as dynamic as containers. Read more about our Container Security solution here and here.
One question that I have heard time and again during my conversations with customers who have been using our Container Security solution is – Do I need to scan my containers like I scan my servers? – The answer is …kinda.
There’s a word we use to describe most architectures based on containerized workloads; immutable. Immutable is a fancy word for static, unchanging. If containers are supposed to be immutable, and if they don’t change, how can malicious or exploitable code end up in containers? It’s not as if a container is going to open an attachment from a suspicious email.
Just because containers are supposed to be static doesn’t mean we should assume that they are safe. We may not need to be focused initially on traditional malware scans like we do for operating system-based workloads, but we still need to keep weak or exploitable code out of our cloud. This is where CVE scanning comes in. CVE stands for Common Vulnerabilities and Exposures. As exploits are detected, CVEs are filed against the affected code. This lets us know what they exposure risk is, and if there’s any way to remediate or mitigate the issue.
Containers are often built on many different components. A large majority are open source, but the key fact is that developers are able to reuse existing code quite often, and don’t need to literally code every line of a containerized application. Many of these apps are made up of a majority of open source, or commercial off the shelf code that is not compiled by the final application developer. The primary way for us to be notified of any weakness in this pre-packaged code is the CVE database.
In a risk reduction strategy, we want to promote defense in depth strategies that prevent exploitable code from being deployed and warn us when new weaknesses are detected. This is where the new CVE scanning capability of MVISION Cloud helps out. We will enable the ability to scan code in the DevOps pipeline as it’s being built to prevent code with known weaknesses from unknowingly being deployed in production. We also recognize that new exploits are constantly being discovered so we can also provide the ability to periodically re-scan popular container registries to inspect the already produced containers to see if there are any new vulnerabilities detected for any critical pieces of our containerized workloads. While this might not be the traditional hijacking via viruses, worms, or trojans, it is becoming a more popular attack point as cloud native architecture become more common. Given the API nature of the cloud, and the fact that this doesn’t require tricking a human into making a bad decision, we need to be vigilant on scanning for weaknesses of this nature to prevent cloud native attacks (for more info on cloud native breaches click here… Hyperlink to cloud native breaches materials).
McAfee is a leader in protecting workloads in the cloud, but also on-prem. What happens if I’m using containers in my traditional on-prem or hybrid datacenter? McAfee will also be adding updates to our ENS for Linux servers to add this additional protection for containers detected on self-managed Linux systems. ENS customers will soon be able to detect containers running on their servers and have the ENS agent automatically integrate with MVISION Cloud to provide the CVE scanning capability for any containers detected on managed Linux systems. ENS will be able to also report on weak or exploitable code sitting or running on your self-managed Linux systems.
More and more workloads are moving to cloud native architectures, and more companies are moving to cloud or hybrid workload strategies. McAfee will continue to provide defense in depth and help ensure all our customers have the freedom of choice to deploy their workloads the way they want. We will help to ensure that workloads are secure now and moving forward.
To see our container security features in action, as well as the rest of the coverage we provide for data and workloads in the public cloud, request a demo here!