Qualys QSC 2021: Shifting left to a secured cloud build pipeline

If there is a central message emanating from this year’s Qualys Security Conference (QSC) in Las Vegas, it is the company’s mission to provide exhaustive tooling designed to shift left in order to identify code and configuration vulnerabilities in the build pipeline before cloud/web application deployments are ultimately executed and pushed into production.

This is why the company has now provided Infrastructure-as-Code (IaC) security as a core capability in the Qualys CloudView application.

It’s clearly part of the whole ‘shift left’ rationale, which means full-stack cloud container security first… and then, deploy, safely… second.

As we have noted here, as Qualys now brings IaC scanning into its CloudView application, software application developers and their counterpart DevOps teams are now given tools to enable detection and remediation of misconfigurations early in the development cycle.

Unload unsafe workloads

If there were a show t-shirt design slogan, it might well read: 

Removing unsafe workload risk in the cloud build pipeline before production. 

This topic centralises around and emanates from the fact that more than ever now, cloud production dev shops are using IaC to deploy cloud-native applications and provision their cloud infrastructure… but (and this is where Qualys comes in) misconfigurations in that IaC layer are often detected post-deployment, which clearly creates a much larger attack surface and more vulnerable to exploits.

With all this as our backdrop, the Computer Weekly Developer Network tuned into day 2 of Qualys QSC to listen to the more extended product and platform workshops and presentations.

Once again Qualys handed its main stage first-of-the-day slot to a guest speaker. Scott Crawford, research director for information security at S&P Global Market Intelligence delivered a session entitled: Cybersecurity Trends: The Wake-Up Call That Was 2021.

Ransomware across supply chain

Crawford actually connected in remotely via video link, his central discussion revolved around the high impact attacks (ransomware in particular) that have played out across what he called ‘entire landscapes’, by which he means the complete IT supply chain.

“How are attackers achieving so much leverage with their attacks?,” asked Crawford. The answer comes down to the fact that attackers are finding exposed vulnerabilities that exist in a large number of organisations’ IT stacks.

Attackers are now also ‘coordinating across silos’ and using automation tools in a way that reflects the way automation advantages are being used in bona fide enterprise IT deployments. Crawford suggests that the best approach is to look for proactive tools … but for ransomware attacks that have actually been executed, it is the endpoint security tools level where attacks have sometimes been stopped, while, conversely and unfortunately, network security tools have typically been less effective.

As the endpoints out there spiral, the challenges are going to get bigger… a platform-level approach is the Qualys message designed to answer the challenge ahead.

Full-stack container security

Following up this intro, the audience were presented with an hour of full-stack container security deep dive delivered by Kong Yew Chan, director, product management for container security at Qualys – and Dilip Bachwani, senior vice president for engineering & cloud operations at Qualys.

Kong Yew Chan told the story of an insurance company that had installed a whole variety of tools over the years. It was using different tools to attempt to get a view over all its containers and get some kind of a hold over Container LifeCycle Management (CLCM).

In the whole build-ship-run process that describes the CLCM, there are lots of problems related to ‘registry hygiene’ in a set of containers being deployed. Kong Yew Chan explained how Qualys works to secure the container host and provide visibility for containers and hosts across multiple environments.

Drift detection

This means Qualys can detect drift along with changes in the Operating System (OS) and installed packages. The Qualys container census can create an inventory of container images and scan images in the registry… this helps to then purge stale images and drive towards a cleaner less vulnerable system.

The key takeaway here is the ability to secure containers on diverse container environments, this is shift left security movement from a single platform. Before also discussing Kubernetes security, Kong Yew Chan finished up with a live demo to provide a level of visual validation to back up the technology proposition being made here.

Towards microservices & containers

Dilip Bachwani spoke in this same session to explain the journey taken when transforming towards microservices and containers. This presentation initially told the story of Qualys itself, the company started transformation towards these technologies in 2016 for the Qualys cloud platform itself.

Of course the enterprise use of containers is all about the fact that we now have a new attack surface for a highly dynamic environment that is essentially ephemeral. This is arguably a pretty strong argument for moving an enterprise’s security posture left so that a more unified position can be achieved, all with a single pane view of any vulnerabilities that might exist across the cloud, the datacenter and across containers.

Bachwani talks about a total process here, wihch the company has productised and branded as the Qualys Container Security Lifecycle.

If container security does shift left into the build pipeline, then we can get to the kind of complaint and secure operational futrure that we need as global economic players.