Share

Slim.AI Integrates Vulnerability Scanning in Container Platform – Container Journal

Long Live Containerization!
Slim.AI is expanding the security capabilities in its namesake container deployment platform and making it simpler to discover vulnerabilities in containers. In addition, Slim.AI is extending the platform’s ability to harden containers before they are deployed in a production environment.
Slim.AI adds a Multi-Scanner Vulnerability Reporting feature that enables IT teams to discover vulnerabilities using multiple container scanning tools.
Slim.AI CEO John Amaral says that capability is critical because it’s become apparent that not every container scanning engine discovers the same vulnerabilities. As a result, many organizations are now employing multiple container scanning engines to discover container vulnerabilities, he notes.
Collectively, in a single workflow, IT teams can slim down containers by removing unnecessary components. Doing so reduces the overall size of the attack surface; IT teams then scan the containers again to document the volume of threats that have been removed. That documentation capability is critical for any third party that may need to run those containers as part of a larger application running on a platform they manage, Amaral notes.
Slimdiagram
Slim.AI launched its namesake platform earlier this year. The platform makes use of machine learning algorithms to resize and optimize containers before they are deployed in a production environment using an open source DockerSlim tool the company created. Many of the containers that developers attempt to deploy in a production environment are larger than they need to be either because unnecessary code has been encapsulated or the code is inefficiently organized.
The company provides a software-as-a-service (SaaS) platform to host an instance of DockerSlim on the Amazon Web Services (AWS) cloud to enable DevOps teams to streamline container application development and deployment. As part of that goal, Slim.AI has been integrating its platform with a range of continuous integration/continuous delivery (CI/CD) platforms and container registries to make it easier to incorporate within existing DevOps workflows. The Slim.AI platform also automatically replaces containers that have known vulnerability issues as part of an effort to advance the adoption of DevSecOps best practices that shift more responsibility for application security toward application developers, says Amaral.
In theory, container applications should be more secure than legacy monolithic applications because it is easier to rip and replace containers than it is to patch an entire monolithic application. Slim.AI, however, is making a case for a platform that prevents insecure containers from being deployed in a production environment in the first place as part of an effort to improve container security posture.
It’s not clear how quickly AI will be applied to automate DevSecOps workflows. However, organizations that embrace DevOps are typically committed to ruthlessly automating IT to the fullest extent possible—and cybersecurity workflows should be no exception. The real challenge is gaining enough confidence in those AI platforms to trust the recommendations and actions being taken. At this point, however, it’s not a question of whether AI will be applied to DevSecOps workflows as much as it is to what degree, as DevOps teams continue to discover where manual processes end and machine-augemented ones begin.
Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.
Mike Vizard has 1375 posts and counting. See all posts by Mike Vizard
Monitoring has been used for decades by IT teams to gain insight into the availability and performance of systems. However, teams today require a deeper understanding of what is happening across their IT environments. Modern infrastructure and applications can span multiple domains, are more dynamic, distributed and must support ongoing change. In this atmosphere, it […] The post Understanding the Observability Maturity Model appeared first on DevOps.com. […]
Improving reliability starts with measuring it. The problem is that proactive approaches to reliability, such as chaos engineering, lack any measurement whatsoever. Most organizations only have backward-facing measurements of un-reliability today and require incidents to know if improvements are being made.     After years of helping lead global companies in building reliability practices, Gremlin discovered […] The post Beyond Chaos Engineering: Using Reliability Scores to Drive Real Results appeared first on DevOps.com. […]
Continuous delivery is a best practice goal for many teams who want to innovate faster. But the risk of constantly exposing new code to end users is one that some organizations simply cannot tolerate. Production errors create costly downtime—leaving engineering teams frustrated, customers dissatisfied and the business at a loss. What if you could reap […] The post No Downtime in Production: A DevOps Toolkit for Safer CI/CD appeared first on DevOps.com. […]
The post LIVE WORKSHOP – Simplifying Hybrid Cloud Kubernetes With AWS EKS and Weaveworks appeared first on DevOps.com. […]
You see the headlines and think, “Thank goodness it wasn’t us.” An overly permissive web server exposes 100 million+ consumer credit applications in an S3 bucket, leaving hundreds of millions of user records open to the public. AWS CloudTrail records every administrative action and configuration change in your AWS account, but CloudTrail does not prioritize […] The post Finding Suspicious Events with AWS CloudTrail: Fundamentals and Best Practices appeared first on DevOps.com. […]
The first incarnation of software composition analysis (SCA) technologies came in 2002 when dependencies were a relatively minor issue in software development. Much has changed in 20 years, and modern applications are made up of 90% third-party code. Today, dependencies exist across all phases of the SDLC, not just in application code. Furthermore, the increasing.. The post Next-Gen SCA: Securing Modern SDLCs With Pipeline Composition Analysis appeared first on Security Boulevard. […]
Cloud computing platforms are rife with misconfigurations that cybercriminals have become adept at exploiting. Developers using infrastructure as code tools simply lack the expertise required to make sure cloud application environments are secure. It’s up to the cybersecurity team to make sure that the policies and guardrails created to secure cloud platforms are observed. The.. The post Cloud Security appeared first on Security Boulevard. […]
As breaches continue to dominate the headlines and organizations struggle to balance application security risks and budgets, a quiet revolution is taking place that disrupts common security practices to solve these problems. This webinar explores advances in software development, security and DevOps technologies that promise to accelerate software delivery and greatly improve security outcomes while.. The post Doing More With Less: How to Improve AppSec Programs When Budgets Decrease appeared first on Security Boulevard. […]
There’s no question that SaaS apps have become the default system of record and an inseparable piece of enterprises. As more organizations increase their investment and dependency on SaaS apps, new challenges emerge beyond the classic use cases of misconfiguration and user permission management, such as SaaS-to-SaaS app access and Device-to-SaaS-User posture management. Join these.. The post SaaS Security Trends, Challenges and Solutions for 2022 appeared first on Security Boulevard. […]
Since its emergence almost a decade ago, zero-trust has been commonly associated with rebuilding networking infrastructure security. Silverfort challenges this approach and enables organizations to implement an end-to-end zero-trust architecture at the identity control plane by monitoring and enforcing active access policies on any user, system and environment, both on-premises and in the cloud. In.. The post Identity Zero-Trust: From Vision to Practical Implementation appeared first on Security Boulevard. […]
Blog Ad 770X330 Container

source