VMware Explore 2022 News

Dynamic Security Scanning for Containers — Announcing Project Narrows

Today, platform administrators around the globe are choosing Harbor as their open-source cloud native registry. Harbor can store, scan, and sign content as a critical tool in your agile software supply chain for Cloud Native workloads.

VMware is excited to announce the availability of Project Narrows. Project Narrows introduces a unique addition to Harbor, allowing end users to assess the security posture of Kubernetes clusters at runtime. Images previously undetected, will be scanned at the time of introduction to a cluster, so vulnerabilities can now be caught, images may be flagged, and workloads quarantined.

Get to know Project Narrows

Platform Administrators currently utilize Harbor to provide static analysis of vulnerabilities in images using scanners, such as Trivy, Clair, and/or ArkSec. Static analysis tools only scan images after an action has been completed, such as an update or addition to the container. A static analysis scan detects potential threats, but an image can pass static scanning and have undetected runtime risks.

Project Narrows adding dynamic scanning to your software supply chain with Harbor is critical. It allows greater awareness and control of your running workloads than the traditional method of simply updating and storing workloads.

Harbor will allow dynamic scanning of workloads during runtime, which enables:

  • Immediate awareness of a runtime vulnerability which was undetectable when a container resides in a static state
  • Stop an attack in progress while a workload is running
  • Mitigate relevant security exploits in runtime without having to kill the container
  • Discover exploits in more complex and distributed applications and services
  • Identify multi-step and supply chain attacks

Supply chain risks often go unnoticed by vendors who are unaware that their applications or updates are infected with malicious code. This malicious code is passed to the end user/customer unknowingly. Malicious code that would only be exploited at runtime will run with the same trust and permissions as the rest of the approved application.

Figure 1: Current Project Narrows architecture

Project Narrows architecture (Figure 1) integrates with Harbor and creates a plugin (shaded in pink) for the Kubernetes cluster to have runtime awareness and dynamic scanning. Using a simple UI or CLI (Command Line Interface) you can do the following:

  • View overall security posture of applications in runtime
  • Create policies and bug scanning jobs
  • Revise baseline policies as needed and prevent redeploying workloads sourced from vulnerable images
  • Set up a policy to quarantine non-secure workloads
  • Review, filter, and remove policy reports
  • Generate assessment reports with every scan
  • View notifications about flagged pods

What’s Next?

We are thrilled to open source the initial capabilities of Project Narrows on GitHub as the Cloud Native Security Inspector (“CNSI”) Project. We look forward to engaging with the Cloud Native community, getting feedback, and learning how people want to adopt and use these capabilities.

For Project Narrows, we will begin exploring opportunities to enhance our Tanzu customers’ security posture and add deeper analytics by using and accessing threat intelligence feeds, such as AIS, Infragard, and SANS Internet Storm Center. Adding threat intelligence feeds will help you proactively mitigate and address potential attacks while spending less time sifting through data to identify already recognized threats.

To learn more and see further demos of Project Narrows, please check out our VMware Explore On-Demand Breakout Session: Running App Workloads in a Trusted, Secure Kubernetes Platform [VIB1443USD]

If you’re interested in working with us more closely, please email us at narrows@vmware.com to discuss the possibility of becoming an early beta customer or other potential partnership opportunities.

Related Articles

Comments

Leave a Reply

Your email address will not be published.