DevOps teams can’t get enough of containers — and for good reason. Faster and more efficient application development and deployment, as well as increased application portability, are some container technology benefits, which in turn help drive digital transformation efforts.

Container-based applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment. That’s why containers have facilitated the popularity of microservices, a type of architecture in which applications are structured as independent, small, modular services.

However, containers create their own set of security and compliance issues. These challenges include the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities, and the deployment of containers with weak configurations. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they’re hard to track because they’re so ephemeral.

This Thursday, Qualys will host a webcast, “Building Security into the 3 Phases of Container Deployment,” led by Hari Srinivasan, Director of Product Management, who’s our resident expert on container security.

In this webcast, Srinivasan will outline security use cases for containers at the build, registry, and runtime stages of DevOps pipelines. He will also explain the importance of having visibility into container assets, and of the need for container-native vulnerability analysis. Srinivasan will also address strategies to detect and address drifting runtimes.

Register for Thursday’s webcast, which begins at 10 am PT / 1 pm ET.

DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.

“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.

“Containers are lightweight, efficient, portable, and they boot faster, making it highly efficient and easy for developers to deploy their applications,” he said during his presentation “Securing Containers — From Build to Deployments.”

Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.

With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.

Continue reading …

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Continue reading …

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, an increasingly common decision among enterprises.

A less common step taken by this multinational bank and Qualys customer was incorporating the security team from day one. It recognized that the safety of the application was as critical for its success as its feature functionality.

In doing so, this bank tackled a challenge that organizations face as they move workloads to public cloud platforms: Protecting these new cloud workloads as effectively as their on-premises systems, but with processes and tools that are effective in both environments.

In a recent webcast, SANS Institute and Qualys experts addressed this issue in detail, offering insights and recommendations for security teams faced with protecting hybrid IT infrastructures’ assets on premises and in public clouds.

Cloud adoption triggers new security needs

In pursuit of digital transformation benefits, organizations are aggressively moving more workloads to public clouds, expanding from straightforward software-as-a-service (SaaS) applications to more involved platform- and infrastructure-as-a-service (PaaS and IaaS) deployments.

As this happens, InfoSec teams find that safeguarding these environments can be complex. “Security teams have rallied around the idea that this is something they need to live with,” Dave Shackleford, a SANS analyst and instructor, said during the webcast.

Continue reading …

Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments.

Driving this growth in cloud computing adoption is its essential role in digital transformation initiatives, which help businesses be more efficient, effective, flexible and innovative in areas like e-business, supply chain management, customer support and employee collaboration.

Digital transformation projects are typically delivered using web and mobile apps created in DevOps pipelines, where developers and operations staff work collaboratively at every step of the software lifecycle, releasing apps or app updates frequently.

But security must be integrated throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — in an automated way, organically building it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

In a recent webcast, Hari Srinivasan, Qualys’ Director of Product Management for Cloud and Virtualization Security, explained how Qualys can help you secure your cloud and container deployments across your DevOps pipeline.

Continue reading …

As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.

That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.

“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.

Continue reading …

Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.

These three companies — a German pharmaceutical contract manufacturer, an IT services provider in Bangladesh and a large telecom in Belgium — all found the InfoSec clarity and guidance they needed in the Center for Internet Security’s Critical Security Controls (CSCs).

They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.

Continue reading …