Container Security Assessment & Response

Security from Build-time to Runtime

Qualys, Inc. Corporate Presentation

 Training Documents

• Presentation Slide
• LAB Tutorial Supplement

qualys.com/learning

2 Qualys, Inc. Corporate Presentation

 Lab Tutorial Supplement

• All lab activity for this course is performed in a simulated lab

environment (No student trial account required)
• Please consult the Container Security Lab Tutorial Supplement for the
following:
PLAY I. Link to start the lab tutorial (separate link(s) for each lab topic
placed next to the “PLAY” sign)
II. Overview of the steps performed for each topic
III. Additional supporting information

3 Qualys, Inc. Corporate Presentation

 Starting the Lab Tutorial 1
Open this link or copy/paste
the link in a separate
browser window/tab

2
Maximize the
screen

Start the
tutorial

4 Qualys, Inc. Corporate Presentation

 Agenda

q Container Security Overview

q Qualys Container Security Use Cases
q Visibility into Container Projects
q Secure the Build Pipeline
q Secure the Registry
q Secure Containers in the Runtime Phase
q Secure Images in AWS Fargate (ECS)

5 Qualys, Inc. Corporate Presentation

 Container Security Overview

Qualys, Inc. Corporate Presentation

 Introduction to Container Security

• Container security is the process of implementing security tools

and policies to protect the infrastructure, the software supply
chain, runtime, and everything in between

• Container security differs from traditional security methods due

to the increased complexity and dynamism of the container
environment.

7 Qualys, Inc. Corporate Presentation

 Containers Bring Unique Security Challenges

• Containers use an open development platform (docker pull

mysql:latest).
• Containers are by design stateless and ephemeral
• Traditional scheduled scanning will not reliably show
vulnerabilities and security concerns in a containerized
environment
• Unlike a traditional server environment, you do not patch
containers. Patching and vulnerability remediation must be done
on the images

8 Qualys, Inc. Corporate Presentation

 Container Attack Vectors

• Container Vulnerabilities
Container Image Vulnerabilities and Misconfiguration
and Misconfiguration
• Container Network
Misconfiguration
• Container Escape

Container

Container
Image

Image
Orchestration Engine
Vulnerabilities and
Orchestration Engine Misconfiguration

• Host Vulnerabilities and Container Engine

Misconfiguration Container Engine
Host/Virtual Machine Vulnerabilities and
• Host Network Misconfiguration
Misconfiguration
Physical Infrastructure

9 Qualys, Inc. Corporate Presentation

 Container Lifecycle Concerns
Container Instances
Container Images Container Registry
Infrastructure

Build Ship Run

• Registry Scanning • Host Protection

• Software Composition • Container Engine
• Vulnerabilities and • Registry Hygiene
• Vulnerabilities and Benchmarking
Misconfigurations • Container Orchestration
• Integration with CI Misconfigurations
• Image Source Benchmarking
Pipelines • Container Vulnerabilities
and Misconfigurations
• Runtime Visibility
• Runtime Protection

10 Qualys, Inc. Corporate Presentation

Qualys Container Security Use Cases

Qualys, Inc. Corporate Presentation

 Get More Security
Inventory Assessment Drift Detection
*Roadmap
View |Search | Relate Vulnerability | Compliance Software| Vulnerabilities

Registry Hygiene DevSecOps Integration Serverless Security

Public | Private CICD| APIs AWS Fargate (ECS)

Qualys Container Security Assessment & Response

Container Native Protection

Qualys Cloud Platform

CyberSecurity Asset Management | Vulnerability Management | Compliance | Patch Management | Web App Security

Network Security Server End Point Apps Cloud Users IoT

Qualys Apps

Qualys Quick Connectors

12 Qualys, Inc. Corporate Presentation

 Qualys Container Security
Key Use Cases

Visibility into your container projects Secure the CI/CD pipeline

• Identify hosts with containers
• Inventory of images, containers
• Identify images and containers with
vulnerabilities, misconfigurations, labels, tags,
packages,..
• Integrate vulnerability scans into the
build pipeline
• FAIL builds, not allowing unsecure images
to enter the pipeline

Scan Registry and Maintain Registry Container Runtime Security

Hygiene
• Detect container drift from underlying
• Inventory and scan as new images are added image
to the registry • Detect and mitigate vulnerabilities from
• Regularly scan registry for non-compliant the container host (leverage integration
images as per policy with Qualys VMDR, PC,..)

13 Qualys, Inc. Corporate Presentation

Container Sensor Overview and Deployment

Qualys, Inc. Corporate Presentation

 Qualys Container Sensor

• Designed to support all major container

runtime environments including containerd,
crio and docker
• Available as a docker image and runs as a
non- privileged container
C C C C C C C C C C C C C C C
4
• Pre-configured to communicate with the 1 2 3 4 5 1 2 3 5 1 2 3 4 5

Container Engine
Qualys Cloud platform on TCP port 443 and
Container Engine Container Engine

Host / VM Host / VM Host / VM

supports proxy servers

• Deployable on standalone as well as in
clustered environments such as Kubernetes,
AWS ECS, Docker Swarm and Openshift

15 Qualys, Inc. Corporate Presentation

 Container Sensor Functionality

Automatic Discovery Monitoring & Listing & Vulnerability and

of Images and Reporting of Scanning of Compliance
Containers Docker Events Registry Images assessment of Images
and Containers

Docker host vulnerability and compliance posture require Qualys Cloud Agents
or an authenticated scan through a Qualys Scanner Appliance.

16 Qualys, Inc. Corporate Presentation

 System and Application Support
Qualys Container Security Sensor supports
systems running Docker version 1.12 or
later, on:
§ Ubuntu
§ Debian
§ Red Hat Enterprise
§ Fedora
§ CentOS
§ Mac OS
§ CoreOS

Can be deployed as:

§ General (Host) Sensor
§ Registry Sensor
§ Build (CI/CD) Sensor

17 Qualys, Inc. Corporate Presentation

 Deployment Templates for Cluster Deployment
Container Sensor deployment templates can be Sensor deployment templates are also
downloaded from the Container Security application available in GitHub

18 Qualys, Inc. Corporate Presentation

 Qualys Container Sensor in Kubernetes Cluster

Kubernetes Control Plane

Qualys Cloud Platform

Cloud-Controller Qualys Container Application Container

Kube-Controller
Manager Manager Sensor Pod Pods

Kube-API Server P P P P P P P P P
P P P P P P
1 2 3 4 6 1 2 3 4 6 1 2 3 4 6

Kubelet Kubelet Kubelet

Kube-Proxy Kube-Proxy Kube-Proxy
etcd Kube-Scheduler Container Engine Container Engine Container Engine

Host / VM Host / VM Host / VM

Kubernetes Master Kubernetes Worker Nodes

19 Qualys, Inc. Corporate Presentation

 Qualys Container Sensor in AWS ECS Environment
An ECS Service is created using the sensor
task definition which runs and maintains
Container Sensor tasks in the cluster

Task definitions are used

to define Qualys Container
Sensor deployment
configuration
20 Qualys, Inc. Corporate Presentation
 Deploying Qualys Container Security
Qualys CI
Plugin Registry
Image
Repository
Qualys Qualys General
Registry Sensor
Qualys CI/CD Sensor
Sensor

Container Engine Container Engine Container Engine

Host/VM Host/VM Host / VM

Build Host Registry Scanning Runtime Host

Host
Qualys Cloud
Build Ship Run Agent

Pre-Deployment Phase Post-Deployment Phase

Represents an installed Qualys Sensor/Plugin

21 Qualys, Inc. Corporate Presentation

 Full Stack Solution for RedHat OpenShift

Container Sensor
(Vulnerability and
Compliance Assessment of

Container

Container
containers and images)

Cloud Agent for RedHat

CoreOS on OpenShift 4.x
(Host level assessment)

OpenShift 4.x
OpenShift 4.x Infrastructure CRI-O
Security RCOS

Represents an installed Qualys Sensor

22 Qualys, Inc. Corporate Presentation

 Sensor Profiles

• Configure sensor profiles to control which sensors are used for scanning different
registries
• Configure sensor log settings
• Configure a time window when the sensor will be dormant
• Configure data collection method for vulnerability assessment

23 Qualys, Inc. Corporate Presentation

 LAB 1

Install Container Sensor

Please consult pages 4-17 in the Lab Tutorial

PLAY Supplement for instructions to perform this
lab activity.
15 mins

• “Install Container Sensor on a Docker Host”

tutorial on page 10
• “Install Container Sensor in Kubernetes
Cluster” tutorial on page 15

24 Qualys, Inc. Corporate Presentation

Visibility into Container Projects

Qualys, Inc. Corporate Presentation

 Identifying Hosts with Container Images and Containers
QIDs used to identify Docker hosts
and their inventory:
45367, 45434, 370440 & 48030

• Detect container infrastructure via existing Qualys sensors (Scanner and

Cloud Agent)
• Gain deeper visibility with the Qualys Container Sensor

26 Qualys, Inc. Corporate Presentation

 Identify Hosts Missing Sensor

Identify container hosts

missing container sensor
27 Qualys, Inc. Corporate Presentation
 Container Host Inventory

Get container
inventory and
vulnerability posture
28 Qualys, Inc. Corporate Presentation
 Tracking Images Sources
Identify Images in unprotected Registries

Quickly identify Images

in unprotected
Registries

29 Qualys, Inc. Corporate Presentation

 Tracking Images Sources
Identify Unknown Pipelines

Quickly identify Images

in unknown CI/CD
pipeline

30 Qualys, Inc. Corporate Presentation

 Identify Container Location in the Cluster

Quickly identify containers

running on the K8 master,
cluster node, namespace, etc.

31 Qualys, Inc. Corporate Presentation

 LAB 2

View Container Projects

Please consult pages 18-20 in the Lab

PLAY Tutorial Supplement for instructions to
10 mins
perform this lab activity.

Tutorial link on page20

32 Qualys, Inc. Corporate Presentation

Secure the Build Pipeline

Qualys, Inc. Corporate Presentation

 Qualys Container Security Integration with CI/CD Tools
Qualys Plugins
• Qualys Container Scanning
Connector and Container Sensor
for scanning build images
• Easy to deploy and configure
• Connector available in Jenkins,
Bamboo and Azure DevOps
marketplace
34 Qualys, Inc. Corporate Presentation
REST APIs for other CI/CD tools
• Groovy scripts for image validation and
Container Sensor for scanning build
images
• Scripts referred/used in CI/CD pipeline
job
• Scripts available on GitHub
 Deployment Steps

Install and
Identify Deploy
Configure

Identify CI tools Deploy CI/CD Install Qualys

being used. Sensor on each Plugin or configure
build node (worker script
node / agent that
builds the images). Configure image
validation policy.

35 Qualys, Inc. Corporate Presentation

 Control CICD Sensor Settings

Centrally configure and manage the following CICD sensor settings:

• Log settings
• Time window when the sensor will be dormant
• Indicate whether you want sensors to perform static vulnerability scanning as a
fallback to dynamic vulnerability scanning for images without a shell

36 Qualys, Inc. Corporate Presentation

 Secure the Build pipeline
Functional Overview

CICD Sensor
Scans Built CI Plugin Qualys Cloud
Image Pulls Scan Platform
Results (QCP)

Unprotected CI Plugin
Code CI Pipeline Image CI Gate
Build
BuildPass
Fail

CI Plugin
Tags Image:
qualys_scan_target:<image_id>

Build Ship
37 Qualys, Inc. Corporate Presentation
 Actionable Vulnerability Information

• Actionable information with

remediation context
• Access reports within the
CI/CD environment without
requiring a login to Qualys

38 Qualys Security Conference, 2019 16 M ay 2023

38 Qualys, Inc. Corporate Presentation

 Integrating Container Security into a CI/CD Environment
(using plugin)
1. Deploy the CICD Sensor on the build node
2. Deploy the Qualys plugin (vulnerability analysis plugin) on the
management\master node
3. Configure API access and image validation criteria in the plugin
4. Add the Qualys scan step to the build pipeline

39 Qualys, Inc. Corporate Presentation

 Integrating Qualys Container Security into a CI/CD
Environment (using script)
Prerequisites
• jq (lightweight JSON processor)
• curl (command line tool to transfer data)
• Docker
• CICD Sensor

Pipeline Configuration Steps

• Download the validate_image.sh script from GitHub
• Configure jq filter with image validation criteria
• Execute the script with correct arguments as a part of the build pipeline:

40 Qualys, Inc. Corporate Presentation

 LAB 3

Secure the Build Pipeline in Jenkins

Please consult pages 21-26 in the Lab

PLAY Tutorial Supplement for instructions to
perform this lab activity.
10 mins

Lab tutorial link is on page 26

41 Qualys, Inc. Corporate Presentation

Software Composition Analysis (SCA)

Qualys, Inc. Corporate Presentation

 Software Composition Analysis (SCA)

• Discovers installed open-source

software and libraries, as well as
associated vulnerabilities

Build Image Introspect

COMPLETE Image
Identify Vulnerabilities
Image
Registry • Detects programming language-
based software packages : Java,
Python, Go, Node.js, .NET, PHP, Ruby
and Rust.
IMAGE INSTALLED
FIX VER LAYER ID LAYER COMPONENT
VULNERABILITIES S/W
QID870045 – glib 1.3 Glibc 1.4
• Complete image introspection , with
SEVERITY 5 au23213123 FROM SSL understanding of how layers work in
21 Ub..
QID870045 – libxml2.0 Libxml2.2 unison results in higher accuracy
SEVERITY 4 c72657477h CMD APACHE2.1
/usr/.. RPM vulnerability detection

• Supported by all Container Sensor

types on Docker and Containerd
runtime
43 Qualys, Inc. Corporate Presentation
 SCA Requirements

• Requires Sensor version 1.19 and above

• Feature must be enabled for your subscription
• Requires Container Sensor to be installed or relaunched
with the parameter --perform-sca-scan

44 Qualys, Inc. Corporate Presentation

 View Image Details

45 Qualys, Inc. Corporate Presentation

 Vulnerabilities in SCA scanned Images

46 Qualys, Inc. Corporate Presentation

 LAB 4

SCA Scans

Please consult pages 27-28 in the Lab

PLAY Tutorial Supplement for instructions to
perform this lab activity.
10 mins

Lab tutorial link is on page 28

47 Qualys, Inc. Corporate Presentation

Secure the Registry

Qualys, Inc. Corporate Presentation

 Addressing Container Lifecycle Concerns

Container Registry

• Registry scanning using Qualys

Ship
Container sensor in Registry mode
• Registry Hygiene to purge stale,
• Registry Scanning vulnerable images
• Registry Hygiene
• Vulnerabilities
• Image Source

49 Qualys, Inc. Corporate Presentation

 Registry Scanning Steps
Sensor Deployment, Adding Registry and Configuring Scan Jobs

Identify Deploy Configure

Identify Registries being Deploy Registry Sensor Add Registry
used on host(s) that have information to your
access to registry Qualys account and
configure scan jobs

50 Qualys, Inc. Corporate Presentation

 Registry Scanning
Public Registry
1
7
ECR
Docker V2 API call
Vulnerability GCR
association Qualys Cloud Platform Images queued for ACR Docker Hub
and reporting scanning

2
Im
ag 3 Listing Phase

ull
el 4

eP
ist • Step 1

ag
Sc to
sca

Im
an • Step 2
da n
ta
6 5
Scan image for Scanning Phase
vulnerabilities • Step 3
• Step 4
• Step 5
Docker Engine • Step 6
Host/VM • Step 7

51 Qualys, Inc. Corporate Presentation

 Map Sensor with Registry

• Configure sensor profiles to control which Registry Sensors are used for
scanning different registries

52 Qualys, Inc. Corporate Presentation

 Control Registry Sensor Settings

Centrally configure and manage the following Registry sensor settings:

• Log settings
• Time window when the sensor will be dormant
• Indicate whether you want sensors to perform static vulnerability scanning as a
fallback to dynamic vulnerability scanning for images without a shell

53 Qualys, Inc. Corporate Presentation

 Registry Scanning
Private Registry
Vulnerability
6 association and
reporting Listing Phase
Qualys Cloud Platform
• Step 1
• Step 2
5

ta

job
da
an
Scanning Phase

an
Sc 1

Sc
• Step 3
4 • Step 4
Scan image 2 • Step 5
for
• Step 6
vulnerabilities Docker V2 API call Nexus
Docker Private
Image Pull
jFrog Artifactory
Docker Engine
Host/VM 3 Host / VM

54 Qualys, Inc. Corporate Presentation

 Adding Registry

Public registries: Docker Hub,

AWS ECR, GCR, ACR (Azure)
Private registries: V2-private
User with read privilege registry, Docker Private
required for registry scanning Registry, jfrog-artifactory

can delete misconfigured and

unused connectors for ACR and
AWS ECR registries

55 Qualys, Inc. Corporate Presentation

 On-Demand Scan

• Create an on-demand job to baseline registry

• Filter images using creation date or image tags for scanning
56 Qualys, Inc. Corporate Presentation
 Recurrence for Automatic Scan Jobs

57 Qualys, Inc. Corporate Presentation

 Scan all Images

58 Qualys, Inc. Corporate Presentation

 Wild-card Support
Wild cards not accepted
unless enabled for the
subscription

When enabled, wildcards

accepted for Repository
and Image tags

• When enabled you can use wild cards for Repository and Image names in
the registry scan job
• Simplifies scanning large number of images matching the wildcard pattern
59 Qualys, Inc. Corporate Presentation
 Registry Scan Results

Total number of Total number of

images in the scanned images in
repository the repository

Total numbe
vulnerable im
in the reposit

60 Qualys, Inc. Corporate Presentation

 LAB 5

Scan Images in DockerHub Registry

Please consult pages 29-33 in the Lab

PLAY Tutorial Supplement for instructions to
perform this lab activity.
10 mins

Tutorial link on page 33

61 Qualys, Inc. Corporate Presentation

 Securing Containers in the Runtime Environment

Qualys, Inc. Corporate Presentation

 Containers – Attack Scenarios

• Threat actors accessing containers

! SSH, Shell or logging into containers
! Application vulnerability to spawn a shell into a container
• Resource abuse
! Malicious container instantiation such as Crypto Miners
• Changing files to gain access
! Modifying access keys (ssh authorized_keys)
! Updating /etc/passwd or /etc/shadow files to create users or escalate privileges
• Unused binaries and libraries can be used to compromise containers
• Using networking methods
! Maliciously access external or internal resources
! Serve new malicious applications to external or internal resources

63 Qualys, Inc. Corporate Presentation

 Manage the Attack Surface

• Scan running containers to identify

attack surface (General Sensor)

• Detect drift, along with changes in Inventory, Scan, Drift

Runtime
Detection
OS and installed packages (General Deploy Scan Sent
to QCP

Sensor)
General Sensor

• Identify owners of containers and

images

• Scan the underlying host (Qualys

VMDR and PC)
64 Qualys, Inc. Corporate Presentation
 Containerized Application
Example

Run Tomcat when

CMD [“catalina.sh”, “run”]
container launches.

Dockerfile
:8080 EXPOSE 8080
FROM tomcat:latest
COPY bodgeit.war /usr/local/tomcat/webapps
COPY bodgeit.war
bodgeit.war
EXPOSE 8080 /usr/local/tomcat/webapps
CMD [“catalina.sh”, “run”]

FROM tomcat:latest

65

65 Qualys, Inc. Corporate Presentation

 Vulnerability Scanning

• Vulnerability detections use the same trusted Qualys

Knowledgebase to provide a high accuracy / low noise set of
vulnerability assessment findings.
• Provides detailed information on how to remediate vulnerabilities.
• Images scanned using a dynamic analysis method to reduce false
positives.

66 Qualys, Inc. Corporate Presentation

 Compliance Scanning
• Supports compliance scanning of OCI compliant images and running
containers
• Requires General Sensor and CI/CD Sensor version 1.7.0 (or later)
and Registry Sensor version 1.9.0 (or later) to perform compliance
scanning of containers and images.
• Uses a subset of CIS Docker benchmark controls for compliance
assessment.
• Provides compliance posture (PASS or FAIL) and control information.
Please reach out to your Qualys Technical Account Manager or Qualys Support to have this
feature enabled for your subscription.

67 Qualys, Inc. Corporate Presentation

 Control General Sensor Settings

Centrally configure and manage the following General sensor settings:

• Log settings
• Time window when the sensor will be dormant
• Data collection method for vulnerability assessment
• Indicate whether you want sensors to perform static vulnerability scanning as a
fallback to dynamic vulnerability scanning for images without a shell
68 Qualys, Inc. Corporate Presentation
 Search Vulnerable Images and Containers

Quickly search vulnerable

images and containers

Quickly search non-compliant

images and containers

69 Qualys, Inc. Corporate Presentation

 Analyze Results
Identify vulnerable and misconfigured images

High level summary

Vulnerability posture

Compliance posture

70 Qualys, Inc. Corporate Presentation

 Analyze Results
Identify the impact of a vulnerable image

Identify the
compliance posture of
the image.

Identify the risk/threat –

Identify the impact – summary of containers
vulnerability summary and details.
created from the vulnerable image.
71 Qualys, Inc. Corporate Presentation
 Drift Containers
Containers breaking off from the “immutable” behavior

• Contain vulnerabilities or
software, not found in the
image from which the Find containers
container is spawned. having drift software
or vulnerabilities
• Are considered abnormal
behaviour and may an indicate
malicious activity

• Vulnerabilities associated with drift containers are classified as either New,

Fixed or Varied
• Software associated with drift containers is classified as either New or
Removed
72 Qualys, Inc. Corporate Presentation
 Container Inventory
Overview Dashboard

Inventory & security posture

widgets:
• Count of Images, Containers
• Containers by State
• Vulnerable Images
• Drift Containers

Personalize and add custom

widgets

73 Qualys, Inc. Corporate Presentation

 Custom Dashboard Example

Scenario
• Drift containers
• Drift + Root Privilege containers
• Drift + Root Privilege + Severity 5
Vulnerability containers

Solution
Custom widgets to track containers
matching above criteria

Query for Widget

vulnerabilities.severity:5 and
isDrift:true and
isRoot:true

74 Qualys, Inc. Corporate Presentation

 LAB 6

Assess Containerized Applications

Please consult pages 34-42 in the Lab

PLAY Tutorial Supplement for instructions to
perform this lab activity.
15 mins

• “Assess Containerized Applications” tutorial

on page 40
• “Dashboards” tutorial on page 42

75 Qualys, Inc. Corporate Presentation

Secure Images in AWS ECS Fargate

Qualys, Inc. Corporate Presentation

 Scan Container Images in AWS Fargate (ECS)

• Get visibility into containers

running on AWS Fargate

• Scan images launched

by AWS Fargate Task (ECS)

• Take remediation action for

Fargate resources that have
high-risk vulnerabilities

77 Qualys, Inc. Corporate Presentation

 How does it work?

Deploy AWS
Fargate Task
Amazon Elastic Container
Registry (ECR)
AWS Fargate
4
Fargate event Source Image

EventBridge
Trigger 3

Amazon EventBridge Qualys Lambda AWS CodeBuild with Qualys

Qualys
1 Function Sensor
Platform
2 Inventory, Scan,
Vulnerability Detection 5

78 Qualys, Inc. Corporate Presentation

 Operationalizing Container Security for Fargate
Integration
• Create a CloudFormation stack to configure Qualys resources in AWS
• Create task definitions for application images and run tasks in ECS
• Verify Image scanning
• View vulnerability and compliance posture of the image along with
container inventory on the Qualys Platform

79 Qualys, Inc. Corporate Presentation

 Fargate Sensors

80 Qualys, Inc. Corporate Presentation

 Fargate Inventory and Security Posture

81 Qualys, Inc. Corporate Presentation

 LAB 7

Secure Images in AWS Fargate

Please consult pages 43-53 in the Lab

PLAY Tutorial Supplement for instructions to
perform this lab activity.
10 mins

Tutorial link on page 53

82 Qualys, Inc. Corporate Presentation

 Summary

CICD Sensor Registry Sensor

Scans Built CI Plugin Qualys Cloud Runtime Scan
Scans Registry
Image Pulls Scan Platform Sent to QCP
Results (QCP)

Deploy
Unprotected CI Plugin scanned and
CI Gate General Sensor
Code CI Pipeline Image CD approved Images Scan host using
Build Pass Pipeline scans
Cloud Agent
containers and
CI Plugin detects drift
Tags Image:
qualys_scan_target:<image_id>

Build Ship Run

83 Qualys, Inc. Corporate Presentation
 Thank You!

Qualys Training Team, [email protected]

Qualys, Inc. Corporate Presentation