As DevOps teams continue to ‘shift security left’ and build container security into the pipeline, integrated toolchains for managing security risk early in the software development lifecycle (SDLC) are becoming critical. The Sonatype Nexus Lifecycle integration with NeuVector enables developers and DevOps teams to manage software vulnerabilities throughout the entire SDLC and even into the production environment.
The security risks posed by the increasing use of open source applications and operating systems used in containers is exploding. In fact, according to Sonatype’s 2020 State of the Software Supply Chain Report, “Pulls of container images topped 8 billion for the month of January. This means annualized image pulls from the repository should top 96 billion this year. To keep pace with demand, suppliers pushed 2.2 million new images to DockerHub over the past year – up 55% since our last report.” Left unpatched, critical vulnerabilities in running containers provide an attack surface for hackers to exploit in order to steal data, install ransomware, or perform crypto-mining attacks.
The solution to this problem, and the cornerstone of good security hygiene, is the ability to detect and mitigate vulnerabilities in all phases of the SDLC, including build, registry, and production environments. The Sonatype Nexus Lifecycle integration with NeuVector provides a solution which combines Nexus Lifecycle’s unique intelligence and policy enforcement at the application layer with NeuVector’s detection and mitigation of open source risk at the container application, operating system and runtime layer. With this partnership, DevOps teams can use NeuVector to scan images in registries and containers running in production for vulnerabilities and manage these vulnerabilities in Nexus Lifecycle.
The NeuVector Sonatype Lifecycle integration is a container itself which can be configured using the command line and providing inputs for the Nexus Lifecycle server, NeuVector controller, webhook endpoint etc. Response Rules are then configured in NeuVector to send webhook alerts to the integration container whenever an image or running container is scanned.
The NeuVector integration is able to automatically detect the Nexus Lifecycle application and submit scan results for that application, or create a new application if no match is found. Scan results are sent to the Nexus Lifecycle server using the REST API.
Whenever there is a scan result the NeuVector scan results are presented in the same familiar view as Nexus Lifecycle data.
This enables customers to apply all of their current configurations in Nexus Lifecycle to domains that are not native to the Nexus platform, allowing developers to write code security without slowing the pipeline.
Because NeuVector also scans running containers in production, run-time scan results can also be displayed in Nexus Lifecycle, alerting developers to potential risks that may exist in production. This may be the result of newly discovered and published vulnerabilities that did not exist when the image was first scan during build or in the registry before deployment.
Vulnerability Impact In Production
DevOps teams can further assess risk by logging into their NeuVector console to assess the ‘impact’ of vulnerabilities on running assets including nodes (hosts) and containers. Any asset that has been protected by NeuVector’s run-time security rules are deemed to have been ‘virtually patched,’ meaning that the risk of exploit is low and can be detected and blocked by NeuVector. Assets running without NeuVector protection are highlighted to indicate the exploit risk in production.
Watch the Integration Demo
To see more details about the NeuVector Sonatype Nexus Lifecycle integration, watch this demo video.
Full Lifecycle Container Security
The NeuVector container security platform provides end-to-end vulnerability and compliance scanning for containers, combined with unique run-time protection to detect and prevent data breaches, malware, vulnerability exploits, ransomware and crypto-mining attacks. All aspects of container security can be integrated and automated into the CI/CD pipeline to enable DevOps teams to secure containers without slowing or stopping the pipeline. The unique Layer7 container firewall enables NeuVector customers to prevent network attacks, inspect packets for sensitive data (DLP), and automatically segment east-west and ingress/egress network connections.
The combination of Sonatype Nexus Lifecycle and NeuVector enables customers to implement the defense in depth strategy needed to protect sensitive data and assets in production.