Veracode announced the enhancement of its Continuous Software Security
Platform to include container security. This early access program for
Veracode Container Security is now underway for existing customers. The
new Veracode Container Security offering, designed to meet the needs of
cloud-native software engineering teams, addresses vulnerability
scanning, secure configuration, and secrets management requirements for
container images.
Veracode
Chief Product Officer, Brian Roche, said, "As developers embrace
cloud-native computing practices, containers have become increasingly
important for business efficiency. This launch helps close a substantial
gap in the market for developer-friendly solutions that cover critical
capabilities for container security. We are excited to bring this next
enhancement of our platform to the market and empower customers to
address security testing for more modern architectures and deployment
styles."
The Requirement for Container Security is Rapidly on the Rise
Containers
are increasingly used to simplify software deployment and runtime
environment configuration management. They comprise small, fast,
portable units of software in which code is packaged so that an
application can be run quickly and reliably in different computing
environments-from the desktop to the cloud. They provide an ecosystem of
repositories, orchestration technologies, and capabilities that address
related issues, such as service-to-service communication and
configuration management. Instantiated in pipelines from code,
containers have the benefit of immutability, meaning they are not
updated, reconfigured or patched in production. Instead, the underlying
image is updated with new capabilities and redeployed, helping to
improve efficiency in the production environment.
Despite
the benefits of containers, they are affected by many of the same
problems that traditionally plague physical production or virtual server
hardware, such as vulnerabilities introduced through additional
software, poorly managed secrets (like Amazon Web Services keys and
credentials in Dockerfiles), and security misconfigurations. This has
resulted in increased demand for products that address these issues and
related problems, with the Global Container Security Market size
expected to reach $3.9 billion by 2027*. Container security scanning
analyzes container images against organizational or industry-specific
standards to identify insecure processes, misconfigurations that could
lead to a vulnerability, and inadequate authentication and access
control.
Veracode Container Security Integrates into the Developer Environment
Many
products already in the market are aimed at securing containers in
runtime and offer limited support for developers, posing a major
challenge for early remediation. Veracode's solution instead integrates
into the CI/CD (continuous integration and continuous delivery) pipeline
and is available at the command line interface. Providing coverage for
vulnerability detection and remediation, secrets management, and
security configuration issues on the most popular operating systems, it
delivers remediation advice to developers early in the software
development life cycle so that insecure containers don't ship to
production.
Veracode
Container Security results are available in a variety of formats based
on the user's choice, including text, JSON (JavaScript Object Notation),
and Software Bill of Materials (CycloneDX, SWID [Software
Identification Tagging], or SPDX [Software Packaging Data Exchange]),
making them easy to integrate with other tools. Providing developers and
their teams with the tools to meet their specific needs means they can
find and fix vulnerabilities early in the lifecycle, giving them
confidence that their containerized application environment is secure.
"Veracode
Container Security will be instrumental for our developers to ensure
that the workloads they deploy into our cloud are secure," said the
Director of Information Security at an automotive company. "Without this
tool, it would take our team weeks to receive and action container
results and these would only have been available in limited formats.
Now, we're excited to integrate findings into the pipeline before they
even move into production, creating time and cost efficiencies for our
business."
To learn more about Container Security, read more here.