The Whiteboard

Project Narrows: an Exciting Step Forward in Container Security

We continue to break new ground in the multi-cloud and cloud-native spaces, which feels incredibly satisfying. So, I’m still talking about the variety of multi-cloud and open source innovations we unveiled at VMware Explore US 2022 at the end of August (see last week’s blog on Project Trinidad for an example). This week, I wanted to share a bit about another project we announced at the conference – Project Narrows – that extends Harbor’s functionality and represents a significant advancement in the world of container security.  

In case you’re unfamiliar, Harbor is an open source, enterprise-class registry server that stores and distributes Docker images. Harbor has become an industry standard. It extends Docker functionality with role-based access control (RBAC), container image signing with Notary, policy-based replication, vulnerability scanning, and much more. It also allows storing and managing images for use with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

Until now, Harbor only performed static application security testing (SAST), meaning that it scanned for vulnerabilities in applications that were not yet running. This critical functionality allows development and DevOps teams to implement security earlier in the software development lifecycle, helping prevent vulnerabilities from making it into production. The problem with SAST is that its functionality ends at deployment: it cannot detect vulnerabilities in running applications. Since many vulnerabilities do not reveal themselves until they are in production, SAST leaves a significant gap. That’s where Project Narrows comes in. 

Project Narrows extends Harbor’s security by performing dynamic security application testing (DAST) –  allowing users to assess the application security posture of Kubernetes clusters in production. If an exploit occurs in a running container or if there’s a misconfiguration,  Project Narrows will detect it, allowing teams to flag and quarantine the image where necessary. 

This is a timely development since supply-chain security is a major industry focus, thanks in part to President Biden’s Executive Order on Improving the Nation’s Cybersecurity (see these posts for more). Because most enterprise software includes open source code, it is critical to identify hidden malicious code that is only exploited at runtime (and has the potential to end up running with the same trust and permissions as the rest of the approved application). Project Narrows tackles this problem head-on. 

As Senior Product Line Manager Natalie Fisher explained in a recent blog, we released the initial capabilities of Project Narrows on GitHub, calling it the Cloud Native Security Inspector (CNSI) Project. We are exploring opportunities to use it to enhance our Tanzu customers’ security posture and add deeper analytics with threat-intelligence feeds. Cutting-edge stuff.

To learn more, check out the demos of Project Narrows, as well as the VMware Explore On-Demand Breakout Session: Running App Workloads in a Trusted, Secure Kubernetes Platform [VIB1443USD]. Both the Advanced Technologies Group at VMware (which incubated Project Narrows) and I welcome your feedback. Let me know what you think about Project Narrows and the importance of DAST in the comments. 




Leave a Reply

Your email address will not be published. Required fields are marked *