There still exists a kind of chasm in the broader software community between the people who are building new application containers today, and the people sandwiched in the middle of the phrase “DevSecOps” whose job is to keep the risk managers at bay. At issue is the very definition of security in a distributed, microservices-driven environment. Infosec professionals demand that containers, wherever they are, be secured. Developers say, that’s not the point: Containers are not virtual machines, and are designed to be ephemeral.
Never mind that, respond the infosec people. We have compliance mandates to maintain, and if it doesn’t look like those containers aren’t being secured, then from the risk people’s perspective, we may as well have posted all our passwords on 4chan.
To get a clearer picture of how the newest entrants in the container space are addressing the problem of keeping up both security and the appearance of security, we spoke with John Morello, CEO of security platform maker Twistlock, Liz Rice, an engineer at security integration firm Aqua Security, and Amir Sharif, founder of cloud-native security provider Aporeto. We met these folks at the most recent DockerCon event, for this edition of The New Stack Makers.
6:53: How Twistlock uses machine learning in containerised applications.
8:42: Security policy implementation and Twistlock’s model rules.
20:18: Discussing container security exploits from Rice’s talk on namespaces and C-Groups.
26:52: Exploring DevSecOps in the enterprise.
32:56: Aporeto co-founder Amir Sharif on container security in development.
37:08 The benefits to automating application security.