Development / DevOps / Security

NeuVector Expands Container Vulnerability Scanning to Developers

19 Apr 2021 3:00am, by

When NeuVector first launched in 2017, it focused primarily on runtime vulnerability scanning and threat detection, but over the years it has expanded its focus, shifting “left” to developers, explained NeuVector vice president of product management Glen Kosaka.

“Over the years, you could think of us as shifting left, because we found out that many of our customers were not ready for production or runtime security. They were still developing their images and they wanted to scan images, and they wanted compliance and vulnerability scanning in the pipeline,” said Kosaka in an interview. “So over the past couple years, we’ve really built out all of the kind of pipeline vulnerability, compliance management, the ability to scan early in the build pipeline with Jenkins plugins, and things like that.”

With that shift, NeuVector increased its focus on the development end of the software lifecycle, which is evidenced in this release as well. With the new features, NeuVector shows its users the riskiest modules and libraries in its software, the corresponding common vulnerabilities and exposures (CVEs), and whether or not they have been patched, or are available to be patched.

NeuVector also calculates a Security Risk Score for each Kubernetes cluster, wherever it may be deployed, and similarly displays that in a single location. From there, users can not only recognize but remediate any issues. The company says that these new features include additional information, including the number of nodes, pods, containers, and workloads that are active, including the containers deployed by the NeuVector security platform itself.

As compared to other security platforms, NeuVector deploys as a container on a user’s Kubernetes cluster (or Docker deployment), which differs from the common agent method taken by other companies. Kosaka says there are two main benefits of this: first, it allows customers to keep their cloud native workflow, deploying NeuVector the same as any other part of their cloud native application, and second, this means that updates are also part of the workflow.

“Agents, especially network agents, have a bad reputation of being dependent upon kernels and having conflicts with kernel drivers when you update your OS, and then all sudden, all kinds of bad stuff happens. So the fact that we are just a container running on top of Kubernetes kind of gives them comfort that there’s not all this special stuff that we’re going to run into when we upgrade to a new version,” said Kosaka. “When you are deploying, integrating, updating, monitoring your security solution, it shouldn’t be outside of the same process as you’re using to do the same thing for your applications. The same workflow that your team uses to deploy applications and update them and monitor them, you can use the same steps and processes to update and monitor the NeuVector containers as well.”

NeuVector also uses a container to update CVEs, which Kosaka says it does as often as daily, and NeuVector itself runs entirely on your cluster, meaning that it can be completely air-gapped if necessary. With the features announced this week, vulnerability scanning via these CVEs also includes scans for all modules, and also provides compliance reporting for applications for standards such as PCI DSS, GDPR, HIPAA, and NIST.

Another feature that Kosaka says differentiates NeuVector from competitors is the company’s focus on automation.

“We really have been on the forefront of automating security policy as code, where you can express all the firewall rules and process rules, all the security allowed behavior of an application, when it gets into production, in Kubernetes YAML files,” said Kosaka. “Even the developer, if they’re trained on it, can write those. You can build security into the pipeline and automate it just like you do any other deployment YAML of the application.”

Kosaka explained that in addition to the GUI, the company provides full access to its tools with a REST API, and explained that developers can completely automate the deployment using Helm charts, configuration maps and other tools, such as Terraform.

“Once you’re in production, you can use the custom resource definition (CRD) YAML files of NeuVector to push these security policies out to every cluster and to manage and maintain them,” Kosaka explained.

Another benefit of this deployment model is that users are able to deploy NeuVector into a staging environment, where it can learn the application behaviors, create network process file rules for the application, which can then be modified before being exported into a YAML file and pushed into production.

Moving forward, Kosaka says NeuVector plans to continue this focus on enterprise use cases, extending the multicluster and multicloud use case to that of being able to handle user roles when accessing different deployments.

“How do you better support enterprise customers when they have different divisions and different people need different access? Or some clusters need this policy, some clusters need that policy?” said Kosaka. “It makes sense for us to also focus on inter cluster networking as well.”

A newsletter digest of the week’s most important stories & analyses.