Twistlock have announced the general availability of their Container Security Suite, along with a partnership with Google Cloud Platform that integrates Twistlock into Google Container Engine (GKE). The suite consists of a console to define policy, a registry scanner and a ‘Defender’that runs as a privileged container on each host. The suite connects to Twistlock’s cloud based ‘Intelligence Service’ to get real time vulnerability and threat intelligence.
The problem of security vulnerabilities in Docker images was highlighted a few months ago by BanyanOps, who scanned Docker Hub and found that a large number of official and user generated images contained known vulnerabilities. Image scanning is part of the Twistlock suite, and can be integrated with an image registry. Cloud based threat and vulnerability feeds are used to ensure that the system can identify recently discovered issues. The Twistlock solution doesn’t just identify known bad software and libraries, as it can also be used to enforce a policy around base image usage. Scanning into statically linked binaries (which has become part of a popular deployment pattern with Golang) and enforcement of policies around secrets/key management are said to be coming soon by Twistlock’s CEO Ben Bernstein.
The suite is positioned to be complementary to Docker Content Trust (which was released as part of Docker 1.8). Content Trust takes care of authenticating the origin and freshness of an image, whist Twistlock will identify vulnerabilities within an image, including any that were discovered since image creation. Twistlock have also partnered with Sonatype in order to help developers keep vulnerabilities out of the ‘left hand side’ of the image creation process.
Twistlock’s ‘Defender’ provides a runtime policy enforcement point. Policies can be built up from the Docker Security Benchmark, and are customisable in the Twistlock console. In order to monitor Docker hosts and Docker daemons Defender is deployed as a privileged container; effectively an agent, but with a deployment mechanism that’s sympathetic to Docker usage patterns. The integration with GKE makes use of anti affiliation rules to ensure that a Defender container is run on each (virtual) host. The GKE integration also takes care of running a console for policy management and monitoring, and extends to the GKE Registry so that container images can be scanned. A Defender container is also run on the Kubernetes controller to get an overview of application deployment.
Policies aren’t limited to Security Benchmark items, and can also be used to define allowable mount points and mandate the creation and use of non privileged users. The suite can also identify and mitigate runtime incidents, such as a container attempting to connect to a known malicious IP can have network access disconnected.
The suite has been in beta since May 2015, with 15 customers taking part. Wix, HolidayCheck and AppsFlyer are named amongst the beta participants.