X

Improving the security of your containers in OCIR with Twistlock

Mike Raab
Product Manager

Introduction to OCIR

Last May, Oracle introduced Oracle Cloud Infrastructure Registry (OCIR) on Oracle Cloud Infrastructure for container-native developers to store Docker images.

Usage of this new cloud service has grown rapidly. Its primary use is to store container images and is used along with Container Engine for Kubernetes (OKE), a managed Kubernetes service on Oracle Cloud Infrastructure.

Customers have asked how to scan container images that are stored in OCIR and add more security and control to CI/CD pipelines. To answer these questions, we are highlighting a solution that focuses on vulnerability and compliance - Twistlock.

Connecting a solution like Twistlock is simple. Supply the Twistlock setup screen with a username (in the form of tenancy_name/user_name), an Oracle Cloud Infrastructure-generated auth token, and the target registry, such as phx.ocir.io. You can create service accounts to fulfill this need, with policies limited to read-only access of the registry.

How Twistlock Helps

Twistlock is a cloud-native security platform. Started in 2015 as the first solution for container security, Twistlock’s platform now uses the benefits of cloud-native technology to make application security better - more automated, more efficient, and more effective.

A key way this happens is by ‘shifting left’ and ensuring security isn’t just a runtime activity. Twistlock’s native integration with OCIR allows Twistlock to identify vulnerabilities and compliance issues for all images stored in registry, and block the use of images that contain violations. Preventing risky container images from being deployed reduces your runtime risk and helps development teams correct issues faster.



Twistlock easily integrates with OCIR to provide an overview of risks in your registry

But knowing about a vulnerability isn’t enough for container images. Containers pose three distinct challenges to vulnerability management:

  1. Containers can have hundreds of Common Vulnerabilities and Exposures (CVEs) present and traditional scanning tools often present several false positives. This makes it hard to know what’s a real risk, and what’s not.
  2. After you’ve weeded out the false positives, numerous CVEs remain. Knowing which fix to prioritize isn’t straightforward, because you often don’t know how the container image is deployed.
  3. Even after you know which CVEs to tackle first, tracking down which layer of the container image the CVE was introduced in, is no easy task. It requires manual effort, or in larger organizations, coordination across different development teams.

To tackle these problems, Twistlock does three things:

1. Twistlock uses over 30 upstream sources to source CVE information. It then parses, correlates, and consolidates the data into the Twistlock Intelligence Stream. By comparing multiple sources and going direct to vendors, Twistlock is able to provide a reduced false positive rate when compared to traditional vulnerability management tools.
2. Twistlock generates a risk score for every CVE detected that is specific to your deployment and environment. This lets you prioritize what to fix in the registry, based on the risk that it brings to your production environment.
3. Twistlock provides a per-layer analysis of every CVE detected, showing the exact layer of the container image where the CVE was introduced. This makes fixing vulnerabilities quicker - no more hunting down which layer the CVE originated in.

Twistlock factors in specifics from your environment to create a tailored risk score for each CVE.

 


Twistlock’s per layer analysis makes it easy to pinpoint where CVEs are introduced.

To learn how the Twistlock platform provides zero-touch active threat protection, layer 3 micro-segmentation along with cloud-native layer 7 firewalls, and precise vulnerability management, visit Twistlock.com/platform.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services