VMware extended its Carbon Black Cloud platform for endpoint and workload security to support container image scanning and hardening.

Following its initial release last December, the Carbon Black Cloud container security feature provides visibility into on-premises and public cloud Kubernetes clusters to help identify misconfigurations and other security risks. It also lets users customize policies to maintain compliance and ensure desired state configurations.

The new vulnerability management tool scans all container images to identify security risks at time of build, before they are deployed into production. This reduces the overall risk profile of the application by minimizing the attack vectors. It also enables InfoSec and DevOps teams to restrict the registries and repositories that are allowed in production. 

These container security features use technology that VMware acquired from Octarine — one of the virtualization giant’s several purchases last year. However, the container image scanning tool is a VMware original built specifically for this release, said Shemer Schwarz, senior director of product management at VMware Carbon Black. Schwarz was the CEO and co-founder of Octarine before VMware acquired the cloud-native security startup.

Collaboration between teams is perhaps the most important value add in the Carbon Black Cloud tooling update, according to Schwarz.“Our vision is to help bridge the gap between the SOC [security operations center] team and DevOps team,” he explained.

Integrating all of these pieces into its Carbon Black Cloud platform allows customers to automate DevOps processes to ensure continuous security and compliance for multi-tenant, multi-cluster Kubernetes workloads, he added.

Schwarz noted that the growing Kubernetes adoption has raised awareness about risks associated with the traditional framework for application security, which can’t identify, let alone block, attacks in container- and microservices-based applications emerging in production environments. “Basically, a new approach is required to secure those applications,” Schwarz said.

Schwarz also discussed the importance of integrating security into DevOps processes — also called DevSecOps. This becomes increasingly important as companies move workloads to the cloud.

To this end, VMware is introducing continuous integration, continuous development (CI/CD) integration capabilities to help IT teams scan and detect vulnerabilities and potential misconfiguration earlier in the application lifecycle.

“You want to push the container, the image scanning, closer to the developer because they're the ones actually fixing those vulnerabilities, and that’s what we provide,” he added.

VMware’s platform does this by automatically scanning for things like misconfigurations and code vulnerabilities before it is deployed. It also checks containers for known exploits and can fix those as well, and now it adds container image scanning and CI/CD integration capabilities.

As with most things, the biggest gap in securing cloud-native environments is at the human level.

DevOps and security teams tend to have a different vision of the priorities. Oftentimes security teams are perceived as the people that slow stuff down, and DevOps, who are trained for speed and innovation, leave protection mostly out of the picture.

In a sense, security and DevOps teams are speaking two different languages, if they’re even speaking at all. This is driving a sizable wedge in what is supposed to be joint ownership: security sets the standard and developers implement it. 

VMware is positioning itself on both sides of this battle with the Carbon Black Cloud platform by streamlining security for public cloud and on-premises Kubernetes environments to enable InfoSec and DevOps teams “to continue to innovate without compromising security," Schwarz explained.

“On one hand, Carbon Black Cloud is helping security teams gain visibility and helping them set the standard, both for security and compliance in containerized applications, while for DevOps and developers, we’re lowering the operational cost of implementing those standards for security and compliance in a containerized environment,” he added.