It's no secret that container usage has increased rapidly in the last few years. As reported in our 2020 State of the Software Supply Chain Report, "Pulls of container images topped 8 billion for the month of January. This means annualized image pulls from the repository should top 96 billion this year. To keep pace with demand, suppliers pushed 2.2 million new images to DockerHub over the past year – up 55% since our last report." However, this popularity increases the likelihood that adversaries will look to containers as an attack vector to steal data, install ransomware, or perform crypto-mining attacks.
The solution to this problem, and the cornerstone of good security hygiene, is the ability to detect and mitigate vulnerabilities in all phases of the software development life cycle (SDLC), including build, registry, and production environments. With this in mind, we are excited to announce the availability of the NeuVector and Sonatype Lifecycle integration.
This integration brings together NeuVector's open source detection and mitigation capabilities at the container application, operating system, and runtime layers with Sonatype Lifecycle's robust policy enforcement engine at the application layer. DevOps teams can now use NeuVector to scan images in registries and containers running in production for vulnerabilities and manage these vulnerabilities in Sonatype Lifecycle - gaining a single view into full container security and governance. For Sonatype customers, this integration is also available in Sonatype Lifecycle Foundation.
Inside the integration
The NeuVector Sonatype Lifecycle integration is available as a container itself which can be configured using the command line and providing inputs for Sonatype Lifecycle, NeuVector controller, webhook endpoint, etc. Response Rules are then configured in NeuVector to send webhook alerts to the integration container whenever an image or running container is scanned.
NeuVector is able to automatically detect the Sonatype Lifecycle application and submit scan results for that application or create a new application if no match is found. Once a software bill of materials (SBOM) is generated with a list of components, their licenses and vulnerability information, those results are sent to Sonatype Lifecycle using the REST API where users can automate policy enforcement and generate an Application Composition Report.
Both NeuVector scan results and Sonatype Lifecycle data are presented in the same familiar view so you can manage everything from vulnerabilities to policies in one platform.
This enables customers to apply all of their current configurations in Sonatype Lifecycle to domains that are not native to the Sonatype Platform, allowing developers to write code security without slowing the pipeline.
Because NeuVector also scans running containers in production, run-time scan results can also be displayed in Sonatype Lifecycle, alerting developers to potential risks that may exist in production. This may be the result of newly discovered and published vulnerabilities that did not exist when the image was first scanned during build or in the registry before deployment.
Vulnerability impact in production
DevOps teams can further assess risk by logging into their NeuVector console to assess the "impact" of vulnerabilities on running assets including nodes (hosts) and containers. Any asset that has been protected by NeuVector's run-time security rules are deemed to have been "virtually patched," meaning that the risk of exploit is low and can be detected and blocked by NeuVector. Assets running without NeuVector protection are highlighted to indicate the exploit risk in production.
Full Lifecycle container security
The NeuVector container security platform provides end-to-end vulnerability and compliance scanning for containers, combined with unique run-time protection to detect and prevent malware execution, vulnerability exploits, ransomware, and crypto-mining attacks. All aspects of container security can be integrated and automated into the CI/CD pipeline to enable DevOps teams to secure containers without slowing or stopping the pipeline. The unique Layer7 container firewall enables NeuVector customers to prevent network attacks, inspect packets for sensitive data (DLP), and automatically segment east-west and ingress/egress network connections.
The combination of Sonatype Lifecycle and NeuVector enables customers to implement the defense in depth strategy needed to protect sensitive data and assets in production.