Aug 16, 2019

Vulnerability scanning expands to containers in the cloud

Google announced the general availability of Cloud Security Scanner for Google Kubernetes Engine (GKE) and Compute Engine. The new scanner will detect vulnerabilities in web applications and provide remediation recommendations that developers can choose to fix before fully deploying their application. Potential vulnerabilities include mixed content using HTTP and HTTPS, JavaScript libraries with known security issues, cross-site scripting attacks, and misconfigured repositories containing source code that may be publicly accessible.

Microsoft Azure has a similar service called Web Vulnerability Scanning for Azure App Service that is powered by Tinfoil Security, a third party security platform for developers and operations teams. Unlike Azure’s offering, Google Cloud does not use a third party for its security scanning. Both, however, are working to bring smarter security to their respective cloud platforms, reigning in one of the more complex segments in the software supply chain.

Security tech stacks are becoming increasingly robust, with dozens of automated tests occurring at each stage of development by different tools that operate at specific phases. Code repository platforms watch hosted code, modular plugins make intelligent code recommendations, and cloud providers analyze deployed applications. Cloud providers, however, offer notoriously complex and patchy security solutions. By expanding vulnerability scanning to its container services, Google is ensuring its security measures are as broadly applicable as possible. Whether using Google’s App Engine or Kubernetes Engine, developers can expect a consistent security filter across cloud products.

While security is becoming increasingly automated for developers, it is also following an increasingly multilayered approach. Any changes to code, dependencies, or deployments are analyzed by services natively integrated into tools developers already use today, with security services often overlapping in functionality. Security checkpoints at each phase of development are fortunately less intrusive as they become more automated but are proliferating rapidly. As the development world shifts to continuous integration and continuous development, expect a rapid rise in continuous security.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.