Friday, September 21, 2018

Improving the security of your containers in OCIR with Twistlock

Introduction to OCIR

Last May, Oracle introduced a new cloud service on Oracle Cloud Infrastructure, for container native developers to store their Docker images.  Simply, Oracle Cloud Infrastructure Registry, or OCIR for short.

Usage of this new cloud service has grown rapidly, and its primary use is to store container images used in conjunction with Container Engine for Kubernetes, or OKE for short.  A managed Kubernetes service on Oracle Cloud Infrastructure .

Customers have asked how they can scan their container images stored in OCIR, and add an additional amount of security and control to their CI/CD pipelines.  As a response to these types of questions, we wanted to highlight one of these solutions, that focuses on vulnerability and compliance, Twistlock.

Connecting a solution like Twistlock is easy.  Simply supply the Twistlock setup screen with a username (in the form of tenancy_name/user_name), an OCI generated Auth Token and the target registry, such as  Customers can easily create service accounts, to fulfill this need, with policies limited to read only access of the registry.

How Twistlock Helps
Twistlock is a cloud native security platform.  Started in 2015 as the first solution for container security, Twistlock’s platform now leverages the benefits of cloud native technology to make application security better - more automated, more efficient, and more effective.

A key way this happens is by ‘shifting left’ - ensuring security isn’t just a run time activity.  Twistlock’s native integration with OCIR allows Twistlock to monitor and identify vulnerabilities and compliance issues for all images stored in registry - and block use of images that contain violations.  By preventing risky container images from being deployed - this reduces your runtime risk, and helps development teams more quickly correct issues.

Twistlock easily integrates with OCIR to provide an overview of risks in your registry

But knowing about a vulnerability isn’t enough for container images.  Containers pose 3 distinct challenges to vulnerability management:
Containers often have hundreds of CVES present - and traditional scanning tools often bring with them a number of false positives - making it hard to know what’s a real risk, and what’s not.
Once you’ve weeded out the false positives - numerous CVEs still remain.  Knowing what to prioritize a fix for isn’t straightforward - because you often don’t know how the container image will be deployed.
And then, once you know what CVEs to tackle first - tracking down what layer of the container image the CVE was introduced in is no easy task - requiring manual effort, or in larger organizations, coordination across different development teams.

To tackle these problems, Twistlock does three things:
Uses over 30 upstream sources to source CVE information, then parses, correlates and consolidates the data into the Twistlock Intelligence Stream.  By comparing multiple sources and going direct to vendors, Twistlock is able to provide a significantly reduced false positive rate vs. traditional vulnerability management tools.
Generates a risk score for every CVE detected that is specific to your deployment and environment. This lets your prioritize what to fix in registry based on the risk it brings to your production environment.
Provides a per-layer analysis of every CVE detected - showing the exact layer of the container image where the CVE was introduced.  This makes fixing vulnerabilities quicker - no more hunting down which layer the CVE originated in.

Twistlock factors in specifics from your environment to create a tailored risk score for each CVE

Twistlock’s per layer analysis makes it easy to pinpoint where CVEs are introduced

For more information, or to learn about how the Twistlock platform provides zero touch active threat protection and layer 3 micro-segmentation, along with cloud native layer 7 firewalls, and precise vulnerability management - visit


from Oracle Blogs | Oracle Marketing Cloud