7 min Security

Qualys QSC: Sealing the lid on container security

Qualys QSC: Sealing the lid on container security

Cloud computing security and compliance specialist Qualys held the main Americas leg of its annual multiple-location global user, partner and practitioner conference in San Diego this month. Before providing a selection of deep dive sessions on container security, the company tabled its core news announcement – the formal introduction of its real-time Risk Operations Center (ROC) with Enterprise TruRisk Management (ETM). Arriving in the company’s 25th year of operations, CEO and president Sumedh Thakar and team were suitably upbeat.

Qualys TruRisk is designed for risk-based vulnerability management to quantify and track an organisation’s cyber risk and wider ‘outlook’ (both Qualys data and non-Qualys security risk data are dovetailed here) for operational robustness. 

Disconnected dashboards

Aiming to counter data silos, security silos and the systems operations silos that may result in vulnerabilities taking hold, the company says it is on a mission to counter the growing spread of so-called ‘disconnected dashboards’ with chief information security officers (CISOs) looking at too many report interfaces and becoming overwhelmed. 

“To overcome these challenges, businesses need an integrated approach that combines heterogeneous risk factors from various asset management tools and disparate cybersecurity solutions into a single platform with remediation and mitigation capabilities to reduce risk quickly. That is why Qualys is launching the world’s first ROC with Enterprise TruRisk Management designed to unify asset inventory and risk factors, apply threat intelligence, business context, risk prioritization and orchestrate remediation, compliance and reporting through a single interface,” detailed the company, in a technical product statement.

Michelle Abraham, research director at IDC thinks that this new service could be key for organisations who need to unify risk scoring and simplify prioritisation and reporting for vulnerabilities.

“Qualys’ approach with the Risk Operations Center delivers this [unified scoring and prioritisation] ideal in a cohesive way. With the ability to analyse all risk factors at a glance – such as exploitability, unique organizational context, threat intelligence and financial impact,” said Abraham.

Containing containers

Key among the attack surfaces Qualys will direct its Risk Operations Center technology is the still-burgeoning area of containers. 

Hosting dedicated press and analyst sessions to discuss container security at Qualys QSC Americas this year was Kunal Modasiya, the company’s VP for product and growth. Because containers have of course grown hugely in popularity with developers, enterprise organisations have found themselves moving extremely rapidly into new architectural constructs where new services are being created using microservices toolsets that get pushed hard to deliver in terms of both functionality and scalability. 

“The challenge here is that for a long time, you had developers and security teams still working with an old-fashioned mindset for security that was based more on the waterfall design approach, where you have monolithic applications… and where you knew what you wanted to deliver at the beginning, where you built your security to align with those goals and then you could provide that over time to keep things secure. I use the analogy that this is like the family home – you know everything that you need, you go out and get it and then you are going to stay in one place. When you have your house, you know what security you need and you put it in place. That world has changed,” said Modasiya.

The change has happened because we don’t all now live in family homes, many us live in apartments and condominiums where a number of resources (front doors, common areas, lighting, water and other utilities) start to be increasingly shared. In this case, we know we are sharing resources with others, but things are still fairly settled.

Start up the RV, let’s go

“Containers are not like that old stable home now, they know they will be more agile, like when you have a recreational vehicle (RV) and you don’t know what your final destination might be. You know some of what you will have, you know you will add to that and you know that you want it to be secure but not everything that you will secure,” clarified Modasiya.

He says that, today, we really have to get security into the developer process. Developers write the code, they build the container images, then they do some security testing and then they put it in a production environment, after which they run the workload. This is how the world has evolved from monolithic, single-server applications to virtualised environments to today’s containerised environments. 

We’ve gone from the single-family home, to the multi-family apartment building and then to the RV, basically.

So how does he think container security different from other areas of risk, compliance and security – and, moreover, why is it harder for developers to work around some of these factors?

Moving beyond monolith

“The basic security challenges of doing the vulnerability management chores and then looking after policy, compliance and threat detection do not typically fit to containers,” said Modasiya. “As we have said. those processes were built for monolithic traditional environments and they were built by and for security teams. They are not designed for developers to adopt. This has led to developers and security teams to have a ‘frenemy’ (i.e. friends who are kind of enemies) relationship, where there is a level of tension between these two teams on who does what and who is responsible for each area. For example, is the development team responsible for making changes in the container for security as they are building it, or once it is built? Or instead, is that for the security operation team that is monitoring the runtime environment and the production workload? Are they responsible for this?”

Out in the real world of deployment, some organisations are moving their security left (earlier) and some are pushing it right i.e. outward within the software supply chain. But few companies are doing either religiously, so problems can creep in and cause issues later. Teams do the vulnerability scanning for those container images, they scan for the compliance check, they make sure that there are no vulnerabilities in it and if there are no vulnerabilities, it goes through and then becomes the running container.

Because developers are often targeted on how many builds they are progressing and where business agility and time to market appear to have surfaced, we can also see problems – something the new Qualys ROC will be aiming to address with its more holistic unified approach – so communication between teams will be essential. But says Modasiya, if we move containers fast and then we will do everything at the runtime, everything has to be caught in production once things are running, which can be problematic as well.

Let’s get holistic

“In practice, there is no one-size-fits-all all approach that works for everyone, from initial development design to runtime. It all depends on the organisation, on the different products that they are working on. I don’t think that there is a perfect world and so you have to cover the end-to-end chain and have a multi-layer defence in depth approach. starting from when the developer is writing the code. Every organisation is different and they are going to embrace different policies. Some teams are more geared towards the more preventive approach. Some are more towards the reactive and remediation side. It’s a lot of what Qualys ROC has come about now,” said Modasiya.

To solve these problems for developers and for security, it’s for sure that we have to look at prioritising work so that mission-critical applications get more risk management and work compared to your minor applications or websites that might need an update. 

Screenshot 2024-10-09 145505