Sophos has added vulnerability scanning for application containers to its Cloud Optix security solution.
The new feature, available now at no extra cost to new and existing users, helps close an increasingly critical gap in online application security, according to Richard Beckett, public cloud security product marketing manager at Sophos.
“We’re seeing a rise in the development of new applications among SMBs in particular using containers,” he says. “This was just a component of the story we really needed to add.”
Cloud Optix, which debuted in 2019, already included containers within the inventory of cloud-based assets it generates automatically. The new functionality announced today allows the system to check container images for operating system vulnerabilities as well. If it finds a potential issue, the solution issues an alert and directs users to further information about the vulnerability and instructions for patching it.
Technicians and security professionals can then forward that information to application developers, and create an audit trail of mitigation efforts, via the Cloud Optix product’s integration with Jira, ServiceNow, Slack, and Microsoft Teams.
The new feature integrates with popular open source container image repositories, including Amazon Elastic Container Registry, Microsoft Azure Container Registry, and Docker Hub, as well as “infrastructure-as-code” (IaC) environments like Bitbucket and GitHub.
The latest enhancement to Cloud Optix, which follows the addition of cloud cost management functionality to the system last October, arrives at a time of accelerating workload migration into the cloud in response to the coronavirus pandemic and the rise of work-from-home computing.
“We’ve actually seen a 3x increase in new server deployments into cloud environments,” Beckett says.
Businesses are rapidly containerizing both legacy applications and new, cloud-native applications in conjunction with that trend. Some 55% of organizations were actively using containers and another 18% were in the discovery stage as of last year, according to 451 Research, which previously reported that 95% of new applications were containerized as of 2019.
The DevOps teams responsible for all that container deployment frequently utilize open source images in online registries as a head start on new projects, even though those files often include vulnerabilities.
“Those container images aren’t maybe vetted as much as the private ones,” Beckett notes.
In fact, 51% of images on the Docker Hub registry scanned by security vendor Prevasio last year had critical vulnerabilities. Software supply chain management vendor Sonatype, meanwhile, estimates that 11% of open source components of all types used in applications include known vulnerabilities.
Container vulnerability scanning is one of several Cloud Optix features designed to mitigate such threats. The system scans IaC templates as well, for example, and can help organizations exert greater oversight over access privileges.
“We’re seeing a lot more stories around identity access management roles being overprivileged and being exploited in attacks,” Beckett notes. Cloud Optix offers guidance on managing access rights for users, groups, and cloud service roles more safely.
That feature, like the container and IaC scanning functionality, is designed to blend in with DevOps workflows without slowing them down. “A lot of these tools are about embedding security pretty seamlessly into that development process,” Beckett says.
Further upgrades on the Cloud Optix roadmap for 2021 revolve chiefly around workload protection functionality aimed at enabling organizations to migrate security capabilities from on-premises to online environments alongside their software, and deeper integration with Sophos’s Managed Threat Response service.
Sophos calls Cloud Optix a “cloud security posture management” tool. The system is designed to provide visibility into all of a company’s cloud assets, identify insecure configurations among those assets, and optimize spending on those assets.