APPSEC KNOWLEDGE BASE

SOFTWARE CONTAINERS

How to secure software containers.

Adoption of software containers has risen dramatically as more organizations realize the benefits of this virtualized technology. Software containers are lightweight, standalone, executable packages of software that include everything required to run it. Containers include code, runtime, settings, system libraries and system tools, and can be used with both Linux and Windows-based applications. By isolating software from its surroundings, software containers enable code to always run the same regardless of the environment it is operating within.

For all their value, software containers also include significant risks. Lack of visibility into containers means security teams are often unable to discern whether there are any issues within the code. And containers are rarely scanned for vulnerabilities before or after being deployed to production.

There are a number of steps that developers can take to help secure software containers, including enforcing the use of trusted container image repositories, eliminating image clutter by continuously monitoring what’s inside containers, and using secrets management tools to protect sensitive data. Scanning software containers for vulnerabilities is also critical – and that’s where Veracode can help.

Testing software containers with Veracode.

Veracode provides application security testing solutions that help to protect the software business relies on. Our suite of on-demand, SaaS-based testing services enable security analysis and testing to be embedded throughout the software development lifecycle (SDLC), allowing developers to test for vulnerabilities from inception through production.

Veracode Static Analysis is an easy-to-use testing methodology that lets developers quickly scan microservices and software containers as well as web, mobile and desktop applications. With Veracode static analyses, developers can quickly identify and remediate vulnerabilities like cross-site scripting and SQL insertion without having to manage a tool. Our patented technology analyzes software containers by scanning binaries, eliminating the need for access to source code. Results are provided within four hours for 80% of scans, and 90% of scans are completed within a day. With highly accurate results that are prioritized based on severity and include a step-by-step remediation plan, developers can fix flaws faster while avoiding wasting time on false positives.

Comprehensive solutions for software containers and other applications.

Additional Veracode software testing services for software containers and other applications include:

  • Veracode Greenlight, a solution that runs in the background of a developer’s IDE to provide immediate alerts and feedback about potential flaws as code is being written.
  • Veracode Software Composition Analysis, a service that helps to identify and eliminate risk in open source components and commercial software.
  • Veracode Web Application Scanning, a web application scanner service that inventories all public-facing web applications and performs both lightweight, production-safe scans and deep scans to identify potential vulnerabilities.
 

 

contact menu