Achieving Accurate Vulnerability and Compliance Scanning for OpenShift Images and Containers

This is a guest post written by NeuVector's Glen Kosaka

NeuVector partners with Red Hat to ensure accurate, consistent image vulnerability and compliance scanning results from build to ship to run.

NeuVector has always integrated container security into the pipeline all the way to production, and recently has enhanced its capabilities to protect Red Hat and OpenShift based deployments. Two recent announcements demonstrate this:

1. Red Hat Vulnerability Scanner certification. The new certification recognizes NeuVector as a trusted Red Hat security partner ready to deliver more consistent container vulnerability scanning for Red Hat-published images and related packages. NeuVector assisted in shaping the certification throughout its pilot phase and is ready to provide immediate vulnerability scanning support to Red Hat customers at program launch:
   "As a Red Hat certified security partner, NeuVector enables enterprises to precisely assess vulnerability risks across Red Hat products and packages”
2. Implementation of Draft OpenShift ‘Inspired by CIS’ Benchmarks. NeuVector has released the beta implementation of the benchmarks developed by the OpenShift team which have been submitted to the CIS.org organization for official adoption. By enabling OpenShift customers to access and run these important configuration and security checks, NeuVector is providing early visibility into compliance auditing for OpenShift deployments.

These add to other enhanced Red Hat and OpenShift security features in NeuVector, such as:

• Support for ImageStreams on-demand scanning for OpenShift registries
• Integration with the OpenShift Admission Controller to prevent unauthorized and vulnerable image deployments into production
• Integration with OpenShift RBACs to enable OpenShift users with similar access controls in NeuVector
• Certified NeuVector Operator in the Red Hat Marketplace
• Support for the OpenShift default run-time CRI-O
• Support of Custom Resource Definitions in OpenShift to define Security Policy as Code for NeuVector run-time protections including network firewall, process and file access rules.

Together these new and existing capabilities enable the NeuVector container security platform to provide:

• End-to-end Vulnerability and Compliance management
• Security automation in the pipeline and into production.
• Protection against zero-day attacks, vulnerability exploits, malware, and other network threats through a run-time security solution powered by a Layer7 container firewall.

It Starts With Accurate Vulnerability Scanning

The Red Hat Vulnerability Scanner Certification brings standardization to vulnerability risk reporting for customers. Enterprises have faced challenging uncertainty in this area as they scale up cloud native initiatives; security reporting based on varying data sources can lead to unreliable and inconsistent vulnerability risk assessments. With the launch of this partner certification offering, Red Hat customers using the security solutions of certified partners like NeuVector now can access vulnerability risk reporting that is accurate and standardized with Red Hat’s own published security data.

To verify product and package vulnerabilities with standardization, NeuVector consumes the publicly available Red Hat OVAL v2 security data feed. This feed streams data on common vulnerabilities and exposures (CVEs), and includes frequent updates to incorporate customer and partner feedback. NeuVector ingests this data feed within its own platform to optimize the integrity and accuracy of assessments. NeuVector is also able to display the Red Hat severity rating of specific CVEs, and provide mission-critical container security insights for addressing both patched and unpatched vulnerabilities.

In the screen shot below, vulnerabilities discovered which are fixed by Red Hat are shown as their RHSA identifiers to indicate this are fixable vulnerabilities in the scanned image:

Vulnerabilities for which a fix is not available are shown with their traditional CVE number identifiers, as shown below:

“As a certified Red Hat Vulnerability Scanner partner, we’re able to offer organizations valuable visibility into both patched and unpatched Red Hat vulnerabilities, and do so with the same accuracy and transparency available from Red Hat itself,” said Gary Duan, Chief Technology Officer at NeuVector. “We look forward to ensuring that our customers using Red Hat products have the most complete capabilities available today when it comes to recognizing and mitigating security issues threatening their cloud native environments.”

In addition to consuming the OVAL v2 security data feed, NeuVector supports other CVE data sources and regularly monitors applications and languages (such as java, nodejs, python, ruby) for vulnerabilities. 

Adding Compliance and Components to Scans

In addition to scanning for vulnerabilities, NeuVector scans images for compliance violations and reports the components list discovered in the image. This is useful for identifying compliance violations for the various CIS benchmarks tests, as well as discovering risky practices in images such as embedded secrets and open file access permissions:

The module inventory and vulnerability risk by module is shown as below:

Putting It Together – Security from the Pipeline to Production

By building security into the pipeline and scanning images during build and in registries, vulnerable or non-compliant images can be prevented from being deployed into production. The screen shot below shows admission control rules which can be created to block deployments based on scan results:

Once in production, continuous vulnerability scanning and CIS benchmarks are run, including the draft OpenShift benchmarks, as seen below indicated by OpenShift-4.5-Beta:

As the final, and most important security protection, running container workloads are inspected in real-time to determine if network attacks, segmentation violations, DLP violations, or suspicious processes/file activity are occurring. These can be blocked in real-time before the attack is able to penetrate or expand across the infrastructure:

Securing images, containers, workloads and orchestrators (like OpenShift) requires end-to-end security which can be integrated into key points in the pipeline. The integration is critical to be able to automate security configurations and keep them updated as new applications enter the pipeline and move into production.