As container adoption rates rise, it becomes more difficult to control or even become aware of the vulnerabilities that get introduced due to the reliance on open source dependencies. With this in mind, cloud native security company Snyk has launched a container- and Kubernetes-focused security platform Snyk Container to find and fix vulnerabilities in third-party application dependencies across the whole software development lifecycle.
Snyk today also released a Helm plugin that allows developers to scan their own Helm charts for vulnerabilities. Their just-released Helm Security Report makes apparent the vulnerabilities in the public Helm Charts repository. Helm is a popular package manager for Kubernetes and can also be used to install third-party software like Jenkins, PostgreSQL and more. Watch The New Stack’s livestream interview with the report’s author Gareth Rushgrove, at 12:15 p.m. Pacific on Nov. 18, 2019 from KubeCon + CloudNativeCon in San Diego.
The company’s recent open-source security report highlights the need for container scanning services, in general. The research suggests that “containers often introduce hundreds of vulnerabilities from open source dependencies, and there is no native safeguard in place to find and fix them,” notes Guy Podjarny, president and co-founder of Snyk, in a statement. “By giving developers the tools they need to both build and run secure containers, including monitoring Kubernetes workloads for vulnerabilities, Snyk Container is helping customers to drastically reduce the risk of growing container infrastructures and scale security best practices.”
The research Podjarny referred to mentioned eye-opening findings, including that there was an 88% increase in application library vulnerabilities in two years and that each of the top ten most popular Docker images contains at least 30 vulnerabilities. The Helm Security Report further finds that 68% of stable Helm charts contain an image with a high severity vulnerability.
Container Products Can Streamline IT Work
One of the reasons why container products have become so popular in a short time is because they target some of the common issues faced by developers. For example, many applications only need to view users and groups but get granted more access than that.
If using a virtual identity server (VIS) or a container, they map and publish application-specific views, giving the application only the data it requires. However, it’s easy to see how many of the conveniences associated with container products could become less apparent if IT professionals continually deal with issues related to container vulnerabilities. Snyk Container aims to make vulnerability management straightforward.
Snyk Container integrates directly with developer workflows and the existing tools an organization uses, such as source control platforms, Kubernetes, CI/CD workflows and container registries. Snyk Container enables regularly performing quick scans to find vulnerabilities related to operating systems or applications. It can also verify secure configurations for Kubernetes workloads.
Developers can also use policies to break builds in certain conditions when needed. When it finds a vulnerability, Snyk Container displays the originating Docker file line. Developers can then prioritize the relevant lines for remediation purposes.
People can also examine the vulnerabilities tree that Snyk Container creates to show direct and indirect dependencies. Having such information provides context about how each vulnerability got introduced.
Then, for each vulnerability identified, Snyk Container provides advice about how to fix it, such as by upgrading to the most secure base image. A related feature that’s coming soon is a pull request for an automated fix. Snyk automates a pull request that changes to the recommended base image, offering quick, seamless results.
Monitoring for New Issues
Besides checking for current vulnerabilities and recommending how to fix them, Snyk Container has a monitoring component that notifies users of new vulnerabilities. Slack and email are the two channels for distributing those alerts, ensuring that IT professionals have up-to-date information and take prompt action.
Snyk has recently been in the headlines for its success in generating capital. The company secured a $7 million Series A round in November 2019. In September 2019, the company announced it had already raised a total of $70 million. It planned then to use the money to expand its business. The introduction of Snyk Container is an example of making that intention a reality.
Snyk Container gives users the insights and resources they need to know where vulnerabilities are and how to address them. These benefits help customers reduce the risks that are often present as container infrastructures grow. Companies can maintain best practices for security as they scale up.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.