5 container security tools to safeguard apps, environments

Learn how five container security vendors monitor and protect container delivery and implementation, regardless of where the container sits in the application lifecycle.

Containers play a vital role in application deployment, especially for organizations that are moving workloads to the cloud. Containers make it easier for developers to build applications and maintain them throughout their entire lifecycle. But the surge in containerized applications presents security challenges, and protecting the multiple layers of abstraction that make up a containerized environment is no small task. For this, organizations require the right security tool.

Traditional security tools can't adequately protect the integrity of containers, which is why many organizations deploy them in VMs. But with the right security tool, an organization can avoid the additional VM overhead. A comprehensive security product protects all aspects of container delivery and implementation, regardless of where the container sits in the application lifecycle. Here are five popular container security tools that take different, yet effective, approaches to safeguarding container environments.

Editor's note: None of the container security vendors profiled here provide information about licensing, subscriptions or pricing. Contact each vendor directly for this information.

1. Aqua Security Software Ltd.

The Aqua Security enterprise security platform safeguards cloud-native applications and infrastructures, including containers, VMs and serverless computing workloads. The platform offers full development-to-production protection across the entire continuous integration and continuous delivery (CI/CD) pipeline. This gives organizations full visibility and control over their application activity, while helping to bridge the gap between DevOps and security.

An Aqua Security deployment includes the software components necessary to protect applications throughout their lifecycles. For example, the platform includes advanced scanning functionality for verifying whether VMs, functions and container images have vulnerabilities. Organizations can also define policies that determine which of these components they can deploy in their environment. To protect container runtimes, the platform uses machine learning to profile and whitelist good container behavior and then takes steps to prevent unauthorized behavior.

Aqua Security provides full-stack protection against misconfigurations and attacks, as well as ensures the system runs only trusted code. The platform offers granular, role-based user access control and zero-touch deployment and management. It also supports scalable automation by providing a RESTful API for integrating third-party tools and services such as orchestrators, registries, container platforms and DevOps applications.

Organizations can implement Aqua Security on premises or on a cloud platform with a provider such as AWS, Google Cloud, Microsoft Azure or IBM Cloud.

2. Capsule8 Inc.

Capsule8 is an enterprise infrastructure security platform for protecting Linux systems across a variety of environments. This tool can detect and respond to incidents on any system at any scale, regardless of the kernel version, Linux distribution or operating environment, such as a public cloud, private cloud, VM, container or bare metal. Capsule8 designed its detection features specifically for the unique threats that come with containers and cloud systems, resulting in a platform that's effective at stopping attacks and minimizing incident impact.

Capsule8 runs in the Linux user space and collects kernel-level data without requiring a kernel module. This approach minimizes the risks to server and network stability, while making it possible to detect and respond to attacks as soon as they're launched. The platform uses distributed agents to collect system telemetry without impacting workload execution or requiring a recompile of the kernel.

This container security tool provides insights into unwanted activity by monitoring attack chokepoints in the kernel and examining system operations that reflect risky developer actions. Capsule8 also includes automated resilience capabilities that immediately mitigate unwanted activity. At the same time, Capsule8 offers an ops-friendly architecture that enables administrators to limit the platform's resource usage, such as CPU and networking, which helps to ensure system reliability.

Capsule8 is API-first by design, so organizations can easily integrate it with popular orchestration and management tools, including Chef, Puppet, Ansible, Splunk and Kubernetes. They can also use Capsule8 across a mix of legacy and cloud-based systems: These include cloud platforms such as AWS or Microsoft Azure; virtualization tools, including Xen or KVM; or containerized environment such as Docker or containerd.

3. NeuVector Inc.

The NeuVector end-to-end security platform targets container environments that are based on Kubernetes, including Red Hat OpenShift NeuVector provides admission controls, image vulnerability management, process and file system protection, and a Layer 7 container firewall that protects the application layer. NeuVector's end-to-end security ranges from DevOps vulnerability protection to automated runtime security, which helps protect sensitive data at all stages in the CI/CD pipeline.

Organizations can implement NeuVector in containers able to deploy on bare metal or within VMs and can use a variety of container management tools to deploy the containers, including Kubernetes and OpenShift. Once enabled, NeuVector scans for vulnerabilities, monitors registry images and runs automated tests for security and compliance. The platform also assesses normal container behavior and automatically builds a security policy that blocks unauthorized container activity or connections.

NeuVector provides complete lifecycle image scanning that's fully integrated into the CI/CD pipeline. The platform prevents exploits and breakouts by detecting and blocking suspicious activity. It tests containers for vulnerabilities during development and safeguards the containers from threats in production. The Layer 7 firewall protects containers against attacks from internal and external networks, while also preventing attempts to steal data.

NeuVector provides a RESTful API for integration with development, management and orchestration tools, making it possible to fully incorporate NeuVector into DevOps processes. NeuVector can also use role-based access controls to integrate with Kubernetes namespaces, as well as with OpenShift RBACs. NeuVector supports the use of security information and event management (SIEM) software for further protecting containerized workloads.

4. Qualys Inc.

Qualys is a comprehensive security platform that provides vulnerability management, detection and response (VMDR) services. The Qualys Cloud Platform delivers and enables these through the platform's integrated suite of cloud applications. Qualys VMDR, the latest generation of the Qualys security application, incorporates machine learning to correlate issues and prioritize actionable remediation. The platform automatically gathers and analyzes security and compliance data, while providing asset discovery, network and application security, threat protection and compliance tracking.

Qualys VMDR offers continuous, always-on monitoring of an organization's global IT infrastructure, providing visibility into all IT assets. The platform also offers built-in threat prioritization and patching. To carry out these operations, Qualys uses lightweight agents, scanners and sensors, which the product installs in the monitored environments. For example, Qualys provides a container sensor for protecting containers across their build, ship and run stages.

The Qualys Cloud Platform offers applications that address cloud and container security, asset management, IT security, web application security and compliance. For example, the platform's Container Security application provides the tools necessary to discover, track and continuously secure containers from build to runtime. Organizations can also use the application in conjunction with other platform applications to safeguard assets beyond their containers.

The Qualys web interface lets users select the application they want to use from a list of available offerings. The list includes only those applications that organizations enable for their subscription level. Once users launch an application, they can view information about their systems and carry out an assortment of tasks. Organizations can even customize how Qualys displays the information. Qualys VMDR also provides open XML APIs for integrating the Qualys VMDR platform into other applications.

5. StackRox Inc.

The StackRox Kubernetes Security Platform provides native integration with Kubernetes. It protects containerized applications throughout the build, deploy and runtime stages. StackRox applies controls early in the application lifecycle by using Kubernetes' declarative data and built-in controls. The StackRox Policy Engine includes hundreds of controls for enforcing security, DevOps best practices and configuration management for both containers and Kubernetes.

Organizations can deliver StackRox software in a set of containers deployed through Kubernetes. One of the containers serves as the platform's central interface for communicating with other StackRox components and third-party systems. This container can run anywhere in the Kubernetes environment. A sensor container is also deployed to each cluster for integrating with Kubernetes, as well as a collector container for each node for collecting container-level specifics.

Because StackRox is deeply integrated with Kubernetes, it has a rich context for gaining visibility into everything from risk profiling to configuration management. In addition, the use of native Kubernetes controls enables StackRox to enforce security policies such as admission controls and network segmentation. StackRox also benefits from Kubernetes' scale and portability, while still being able to enforce security throughout the container lifecycle.

To facilitate interoperability, the company provides an API and prebuilt plugins for integrating with DevOps tools and services such as registries, image scanners, container runtimes, notification tools, SIEM software and other CI/CD systems.

Next Steps

Why and how to use container malware scanning software

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center