Docker brought containers into the enterprise; static scanning makes sure they are secure when the images are created. Who watches them when they run?
Docker made it possible to have an exact copy of the core elements of the operating system and the application code in a single, manageable file. BusyBox, the simplest production-ready Docker image, is only 2.1MB. That is small enough to check into version control and small enough to copy around on the network. It's small enough that every build can be security scanned.
That point-in-time scanning sounds impressive, but it isn't enough.
Production containers are computers running in a network that is a cluster, likely Kubernetes. Once they are running, any administrator can secure shell to them and change the configuration or permissions. For that matter, Kubernetes lets every system talk to every other system by default. Auditors tend to care more about the security of the production systems, not some images in version control. That means hardening for HIPPA, PCI, SarBox, and other standards, along with producing the reports the auditors want to see.
As Homer Simpson once said, "Can't someone else do it?"
Instead of running a part of the build on a build server, StackRox is a cloud-native security product. It runs inside Kubernetes, with enough privileges to inspect each node in the cluster. It can inspect the nodes for compliance, but also how Kubernetes is configured. Once the policies are in place, an administrator shouldn't be able to log into a container and change it. StackRox can actually monitor the interaction between containers, creating a YAML file with policy changes, to limit pod-to-pod communications to what they should be. As Michelle McLean, head of community for StackRox, puts it, "Pull rich context from Kubernetes, then push policies into Kubernetes."
McLean sees this as a tool to bring Security into DevOps. She explains "We bridge security and DevOps. DevOps is trying to learn how to run and configure Kubernetes. Security understands compliance and auditing, but does not understand the infrastructure enough to get that information." Beyond that, they don't even speak the language to ask the questions.
With web and microservices exposed to the open internet, a cloud native, runtime auditor can tell if someone is running a port scan attack, by examining the running processes on the container. Likewise, the tool can tell what processes are running as root.
